This is the start of the stable review cycle for the 3.16.60 release. There are 366 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Fri Oct 19 17:00:00 UTC 2018. Anything received after that time might be too late.
All the patches have also been committed to the linux-3.16.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below.
Ben.
-------------
Aaron Ma (2): HID: core: Fix size as type u32 [6de0b13cc0b4ba10e98a9263d7a83b940720b77a] HID: i2c-hid: fix size check and type usage [ac75a041048b8c1f7418e27621ca5efda8571043]
Al Viro (12): Don't leak MNT_INTERNAL away from internal mounts [16a34adb9392b2fe4195267475ab5b472e55292c] affs_lookup(): close a race with affs_remove_link() [30da870ce4a4e007c901858a96e9e394a1daa74a] aio: fix io_destroy(2) vs. lookup_ioctx() race [baf10564fbb66ea222cae66fbff11c444590ffd9] do d_instantiate/unlock_new_inode combinations safely [1e2e547a93a00ebc21582c06ca3c6cfea2a309ee] ext2: fix a block leak [5aa1437d2d9a068c0334bd7c9dafa8ec4f97f13b] fix io_destroy()/aio_complete() race [4faa99965e027cc057c5145ce45fa772caa04e8d] hypfs_kill_super(): deal with failed allocations [a24cd490739586a7d2da3549a1844e1d7c4f4fc4] jffs2_kill_sb(): deal with failed allocations [c66b23c2840446a82c389e4cb1a12eb2a71fa2e4] rpc_pipefs: fix double-dput() [4a3877c4cedd95543f8726b0a98743ed8db0c0fb] udf: fix the udf_iget() vs. udf_new_inode() races [b231509616feb911c2a7a8814d58c0014ef5b17f] udf: merge the pieces inserting a new non-directory object into directory [d2be51cb34dc501791f3b8c01a99a3f2064bd8d1] ufs: deal with nfsd/iget races [e4502c63f56aeca887ced37f24e0def1ef11cec8]
Alan Cox (1): tty: handle the case where we cannot restore a line discipline [8a8dabf2dd68caff842d38057097c23bc514ea6e]
Alan Stern (1): USB: Accept bulk endpoints with 1024-byte maxpacket [fb5ee84ea72c5f1b6cabdd1c9d6e8648995ca7c6]
Alex Smith (1): mmc: jz4740: Fix race condition in IRQ mask update [a04f0017c22453613d5f423326b190c61e3b4f98]
Alexander Gerasiov (1): parport_pc: Add support for WCH CH382L PCI-E single parallel port card. [823f7923833c6cc2b16e601546d607dcfb368004]
Alexey Khoroshilov (2): vmxnet3: avoid assumption about invalid dma_pa in vmxnet3_set_mc() [fb5c6cfaec126d9a96b9dd471d4711bf4c737a6f] vmxnet3: fix checks for dma mapping errors [5738a09d58d5ad2871f1f9a42bf6a3aa9ece5b3c]
Amir Goldstein (1): fanotify: fix logic of events on child [54a307ba8d3cd00a3902337ffaae28f436eeb1a4]
Andrew Morton (1): fs/reiserfs/journal.c: add missing resierfs_warning() arg [9ad553abe66f8be3f4755e9fa0a6ba137ce76341]
Andrey Ignatov (1): ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg [1b97013bfb11d66f041de691de6f0fec748ce016]
Andy King (1): VMXNET3: Check for map error in vmxnet3_set_mc [4ad9a64f53c619969dede1143d56ccda1a453c39]
Aneesh Kumar K.V (1): powerpc/mm/hugetlb: initialize the pagetable cache correctly for hugetlb [6fa504835d6969144b2bd3699684dd447c789ba2]
Ard Biesheuvel (1): efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode [0b3225ab9407f557a8e20f23f37aa7236c10a9b1]
Arnaldo Carvalho de Melo (1): perf top: Document --ignore-vmlinux [a8403912d04e2c8271653bb5b7f6294dc6d322ac]
Arnd Bergmann (1): media: s3c-camif: fix out-of-bounds array access [a398e043637a4819a0e96467bfecaabf3224dd62]
Bai Ping (1): thermal: imx: register irq handler later in probe [84866ee5818e95f6e97194656777c10ac24cb9d3]
Bart Van Assche (1): IB/srp: Fix srp_abort() [e68088e78d82920632eba112b968e49d588d02a2]
Ben Hutchings (4): ALSA: timer: Fix pause event notification [3ae180972564846e6d794e3615e1ab0a1e6c4ef9] drm/msm: Fix possible null dereference on failure of get_pages() [3976626ea3d2011f8fd3f3a47070a8b792018253] ppp: Fix null pointer dereference on registration failure [96d934c70db6e1bc135600c57da1285eaf7efb26] scsi: qla2xxx: Avoid double completion of abort command [3a9910d7b686546dcc9986e790af17e148f1c888]
Bharat Potnuri (1): iw_cxgb4: Atomically flush per QP HW CQEs [2df19e19ae90d94fd8724083f161f368a2797537]
Bin Liu (1): usb: musb: host: fix potential NULL pointer dereference [2b63f1329df2cd814c1f8353fae4853ace6521d1]
Bjorn Helgaas (1): drm/radeon: make MacBook Pro d3_delay quirk more generic [5938628c51a711ae2169d68b2e3a4f7d93d4dbea]
Bjørn Mork (1): qmi_wwan: do not steal interfaces from class drivers [5697db4a696c41601a1d15c1922150b4dbf5726c]
Brad Volkin (1): drm/i915: Log a message when rejecting LRM to OACONTROL [00caf0199f66871b0e2c28d7c2079de0ce1d646c]
Bryan O'Donoghue (1): rtc: snvs: Fix usage of snvs_rtc_enable [1485991c024603b2fb4ae77beb7a0d741128a48e]
Chao Yu (2): f2fs: reposition unlock_new_inode to prevent accessing invalid inode [b73e52824c8920a5ff754e3c8ff68466a7dd61f9] udf: avoid unneeded up_write when fail to add entry in ->symlink [85cd083b498572fb9fa575cce3ed910c8ee84294]
Charles Keepax (2): regmap: Correct offset handling in regmap_volatile_range [b8f9a03b741ddfdde4aa8b607fa7d88eb63a6338] regmap: Don't use format_val in regmap_bulk_read [9ae27a8d1f3ebff09191fb8cb1341414547293b2]
Chris Mason (1): Btrfs: use insert_inode_locked4 for inode creation [b0d5d10f41a0f1cd839408dd94427f2db3553bca]
Chris Metcalf (3): Make asm/word-at-a-time.h available on all architectures [a6e2f029ae34f41adb6ae3812c32c5d326e1abd2] string: provide strscpy() [30035e45753b708e7d47a98398500ca005e02b86] word-at-a-time.h: fix some Kbuild files [19c22f3a29fa8669c477f20a65f6c7c27108972a]
Clemens Werther (1): USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator [6555ad13a01952c16485c82a52ad1f3e07e34b3a]
Colin Ian King (5): KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable" [ba3696e94d9d590d9a7e55f68e81c25dba515191] RDMA/iwpm: fix memory leak on map_info [f96416cea7bce9afe619c15e87fced70f93f9098] media: cx25821: prevent out-of-bounds read on array card [67300abdbe9f1717532aaf4e037222762716d0f6] rtc: tx4939: avoid unintended sign extension on a 24 bit shift [347876ad47b9923ce26e686173bbf46581802ffa] staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr [e1a7418529e33bc4efc346324557251a16a3e79b]
Collin May (1): USB: serial: simple: add libtransistor console [fe710508b6ba9d28730f3021fed70e7043433b2e]
Cong Wang (2): llc: fix NULL pointer deref for SOCK_ZAPPED [3a04ce7130a7e5dad4e78d45d50313747f8c830f] llc: hold llc_sap before release_sock() [f7e43672683b097bb074a8fe7af9bc600a23f231]
Dan Carpenter (2): net: ethernet: davinci_emac: fix error handling in probe() [8005b09d99fac78e6f5fb9da30b5ae94840af03b] xen/acpi: off by one in read_acpi_id() [c37a3c94775855567b90f91775b9691e10bd2806]
Daniel Borkmann (1): bpf, x64: fix memleak when not converging after image [3aab8884c9eb99189a3569ac4e6b205371c9ac0b]
Danilo Krummrich (1): fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table [a0b0d1c345d0317efe594df268feb5ccc99f651e]
Danit Goldberg (1): IB/mlx5: Use unlimited rate when static rate is not supported [4f32ac2e452c2180cd2df581cbadac183e27ecd0]
Dave Airlie (1): drm: set FMODE_UNSIGNED_OFFSET for drm files [76ef6b28ea4f81c3d511866a9b31392caa833126]
David Henningsson (1): ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr [f853dcaae2f5bbe021161e421bd1576845bae8f6]
David Howells (1): afs: Fix directory permissions check [378831e4daec75fbba6d3612bcf3b4dd00ddbf08]
David Lechner (1): pinctrl: pinctrl-single: Fix pcs_request_gpio() when bits_per_mux != 0 [45dcb54f014d3d1f5cc3919b5f0c97087d7cb3dd]
Davidlohr Bueso (5): Revert "ipc/shm: Fix shmat mmap nil-page protection" [a73ab244f0dad8fffb3291b905f73e2d3eaa7c00] ipc,shm: move BUG_ON check into shm_lock [c5c8975b2eb4eb7604e8ce4f762987f56d2a96a2] ipc/sem: make semctl setting sempid consistent [a5f4db877177d2a3d7ae62a7bac3a5a27e083d7f] ipc/shm: fix shmat() nil address after round-down when remapping [8f89c007b6dec16a1793cb88de88fcc02117bbbc] ipc: convert invalid scenarios to use WARN_ON [d0edd8528362c07216498340e928159510595e7b]
Dennis Wassenberg (1): Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list [b56af54ac78c54a519d82813836f305d7f76ef27]
Dexuan Cui (1): tick/broadcast: Use for_each_cpu() specially on UP kernels [5596fe34495cf0f645f417eb928ef224df3e3cb4]
Dmitry Safonov (1): tracing/uprobe: Drop isdigit() check in create_trace_uprobe [5ba8a4a96f6eaa6af88e24c7794f142217aa3b6f]
Dou Liyang (1): x86/acpi: Prevent X2APIC id 0xffffffff from being accounted [10daf10ab154e31237a8c07242be3063fb6a9bf4]
Eliot Blennerhassett (1): ALSA: asihpi: used parts of message/response are zeroed before use [51e6f47dd2e3463dac6f37128fd7b7cb40c500de]
Eric Biggers (5): KEYS: DNS: limit the length of option strings [9c438d7a3a52dcc2b9ed095cb87d3a5e83cf7e60] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one [8f461b1e02ed546fbd0f11611138da67fd85a30f] ext4: correctly detect when an xattr value has an invalid size [d7614cc16146e3f0b4c33e71875c19607602aed5] ipc/shm: fix use-after-free of shm file via remap_file_pages() [3f05317d9889ab75c7190dcd39491d2a97921984] ppp: remove the PPPIOCDETACH ioctl [af8d3c7c001ae7df1ed2b2715f058113efc86187]
Eric Dumazet (21): crypto: af_alg - fix possible uninit-value in alg_bind() [a466856e0b7ab269cdf9461886d007e88ff575b0] dccp: fix tasklet usage [a8d7aa17bbc970971ccdf71988ea19230ab368b1] ip6_gre: better validate user provided tunnel names [5f42df013b8bc1b6511af7a04bf93b014884ae2a] ip6_tunnel: better validate user provided tunnel names [db7a65e3ab78e5b1c4b17c0870ebee35a4ee3257] ip_tunnel: better validate user provided tunnel names [9cb726a212a82c88c98aa9f0037fd04777cd8fe5] ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy [aa8f8778493c85fff480cdf8b349b1e1dcb5f243] ipv6: sit: better validate user provided tunnel names [b95211e066fc3494b7c115060b2297b4ba21f025] llc: better deal with too small mtu [2c5d5b13c6eb79f5677e206b8aad59b3a2097f60] net: af_packet: fix race in PACKET_{R|T}X_RING [5171b37d959641bbc619781caf62e61f7b940871] net: fix rtnh_ok() [b1993a2de12c9e75c35729e2ffbc3a92d50c0d31] net: fix uninit-value in __hw_addr_add_ex() [77d36398d99f2565c0a8d43a86fd520a82e64bb8] net: initialize skb->peeked when cloning [b13dda9f9aa7caceeee61c080c2e544d5f5d85e5] net_sched: fq: take care of throttled flows before reuse [7df40c2673a1307c3260aab6f9d4b9bf97ca8fd7] netlink: fix uninit-value in netlink_sendmsg [6091f09c2f79730d895149bcfe3d66140288cd0e] sctp: do not leak kernel memory to user space [6780db244d6b1537d139dea0ec8aad10cf9e4adb] soreuseport: initialise timewait reuseport field [3099a52918937ab86ec47038ad80d377ba16c531] tcp: fix TCP_REPAIR_QUEUE bound checking [bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9] tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets [7212303268918b9a203aebeacfdbd83b5e87b20d] tcp: purge write queue in tcp_connect_init() [7f582b248d0a86bae5788c548d7bb5bca6f7691a] vti6: better validate user provided tunnel names [537b361fbcbcc3cd6fe2bb47069fd292b9256d16] xfrm6: avoid potential infinite loop in _decode_session6() [d9f92772e8ec388d070752ee8f187ef8fa18621f]
Eric W. Biederman (4): ipc/msg: Fix msgctl(..., IPC_STAT, ...) between pid namespaces [39a4940eaa185910bb802ca9829c12268fd2c855] ipc/sem: Fix semctl(..., GETPID, ...) between pid namespaces [51d6f2635b39709ee5e62479be23d423b760292c] ipc/shm: Fix shmctl(..., IPC_STAT, ...) between pid namespaces. [98f929b1bd4d0b7c7a77d0d9776d1b924db2e454] ipc/util: Helpers for making the sysvipc operations pid namespace aware [03f1fc09180b345582889a344b012d069b3a6dbe]
Eryu Guan (1): ext4: protect i_disksize update by i_data_sem in direct write path [73fdad00b208b139cf43f3163fbc0f67e4c6047c]
Fabián Inostroza (1): ALSA: line6: Use correct endpoint type for midi output [7ecb46e9ee9af18e304eb9e7d6804c59a408e846]
Federico Cuello (1): ALSA: usb: mixer: volume quirk for CM102-A+/102S+ [21493316a3c4598f308d5a9fa31cc74639c4caff]
Filipe Manana (3): Btrfs: don't leave dangling dentry if symlink creation failed [d50866d00fb39fcf72307001763ee9cc92625a43] Btrfs: ensure tmpfile inode is always persisted with link count of 0 [5762b5c958abbecb7fb9f4596a6476d1ce91ecf6] Btrfs: fix copy_items() return value when logging an inode [8434ec46c6e3232cebc25a910363b29f5c617820]
Florent Flament (1): drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log [280b54ade5914d3b4abe4f0ebe083ddbd4603246]
Florian Fainelli (2): net: bcmgenet: Fix sparse warnings in bcmgenet_put_tx_csum() [6f89421180f15867dc1472d9edf68f82b0ed5ee6] net: systemport: Fix sparse warnings in bcm_sysport_insert_tsb() [c0eb05585d4184596453622b5abba7d13dd20667]
Florian Westphal (1): netfilter: nf_tables: can't fail after linking rule into active rule list [569ccae68b38654f04b6842b034aa33857f605fe]
Francisco Jerez (1): drm/i915: Fix command parser to validate multiple register access with the same command. [6a65c5b9326c9dd391afb1b3df75cbedffbaccdb]
Geert Uytterhoeven (6): serial: arc_uart: Fix out-of-bounds access through DT alias [f9f5786987e81d166c60833edcb7d1836aa16944] serial: fsl_lpuart: Fix out-of-bounds access through DT alias [ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47] serial: imx: Fix out-of-bounds access through serial port index [5673444821406dda5fc25e4b52aca419f8065a19] serial: mxs-auart: Fix out-of-bounds access through serial port index [dd345a31bfdec350d2593e6de5964e55c7f19c76] serial: pxa: Fix out-of-bounds access through serial port index [afc7851fab8329eddcf321c9e0a58c893f351dd6] serial: xuartps: Fix out-of-bounds access through DT alias [e7d75e18d0fc3f7193b65282b651f980c778d935]
Govindarajulu Varadarajan (1): enic: set DMA mask to 47 bit [322eaa06d55ebc1402a4a8d140945cff536638b4]
Greg Kroah-Hartman (1): USB: serial: visor: handle potential invalid device configuration [4842ed5bfcb9daf6660537d70503c18d38dbdbb8]
Guenter Roeck (4): hwmon: (nct6683) Enable EC access if disabled at boot [dbac00f0cf634120d77edee10d25e3f6899d7636] hwmon: (nct6775) Fix writing pwmX_mode [415eb2a1aaa4881cf85bd86c683356fdd8094a23] hwmon: (pmbus/adm1275) Accept negative page register values [ecb29abd4cb0670c616fb563a078f25d777ce530] hwmon: (pmbus/max8688) Accept negative page register values [a46f8cd696624ef757be0311eb28f119c36778e8]
Guillaume Nault (12): l2tp: check sockaddr length in pppol2tp_connect() [eb1c28c05894a4b1f6b56c5bf072205e64cfa280] l2tp: fix race in duplicate tunnel detection [f6cd651b056ffd3b4e8496afd44d4ed44bf69136] l2tp: fix races in tunnel creation [6b9f34239b00e6956a267abed2bc559ede556ad6] l2tp: fix {pppol2tp, l2tp_dfs}_seq_stop() in case of seq_file overflow [5411b6187adf62909e3b998ac782e722904c7487] l2tp: hold reference on tunnels in netlink dumps [5846c131c39b6d0add36ec19dc8650700690f930] l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file [f726214d9b23e5fce8c11937577a289a3202498f] l2tp: hold reference on tunnels printed in pppol2tp proc file [0e0c3fee3a59a387aeecc4fca6f3a2e9615a5443] ppp: fix device unregistration upon netns deletion [8cb775bc0a34dc596837e7da03fd22c747be618b] ppp: fix lockdep splat in ppp_dev_uninit() [58a89ecaca53736aa465170530acea4f8be34ab4] ppp: fix race in ppp device destruction [6151b8b37b119e8e3a8401b080d532520c95faf4] ppp: unlock all_ppp_mutex before registering device [0171c41835591e9aa2e384b703ef9a6ae367c610] pppoe: check sockaddr length in pppoe_connect() [a49e2f5d5fb141884452ddb428f551b123d436b5]
Gustavo A. R. Silva (3): atm: zatm: Fix potential Spectre v1 [2be147f7459db5bbf292e0a6f135037b55e20b39] kernel/sys.c: fix potential Spectre v1 issue [23d6aef74da86a33fa6bb75f79565e0a16ee97c2] net: atm: Fix potential Spectre v1 [acf784bd0ce257fe43da7ca266f7a10b837479d2]
Hans de Goede (1): libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs [184add2ca23ce5edcac0ab9c3b9be13f91e7b567]
Heinrich Schuchardt (1): usb: musb: gadget: misplaced out of bounds check [af6f8529098aeb0e56a68671b450cf74e7a64fcd]
Helge Deller (2): parisc: Fix HPMC handler by increasing size to multiple of 16 bytes [d5654e156bc4d68a87bbaa6d7e020baceddf6e68] parisc: Fix out of array access in match_pci_device() [615b2665fd20c327b631ff1e79426775de748094]
Hendrik Brueckner (1): s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero [4bbaf2584b86b0772413edeac22ff448f36351b1]
Herbert Xu (1): crypto: ahash - Fix early termination in hash walk [900a081f6912a8985dc15380ec912752cb66025a]
Himanshu.Madhani@Cavium.Com (1): scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS [1514839b366417934e2f1328edb50ed1e8a719f5]
Hpreg@Vmware.Com (1): vmxnet3: set the DMA mask before the first DMA map operation [61aeecea40afb2b89933e27cd4adb10fc2e75cfd]
Huacai Chen (1): zboot: fix stack protector in compressed boot phase [7bbaf27d9c83037b6e60a818e57bdbedf6bc15be]
Ian Kent (1): autofs: mount point create should honour passed in mode [1e6306652ba18723015d1b4967fe9de55f042499]
Igor Pylypiv (1): watchdog: f71808e_wdt: Fix WD_EN register read [977f6f68331f94bb72ad84ee96b7b87ce737d89d]
Ilya Dryomov (1): libceph: validate con->state at the top of try_write() [9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7]
Ivan Khoronzhuk (1): net: ethernet: ti: cpdma: correct error handling for chan create [8a83c5d7969b8433584e3cf658a8d76c4dc37f4d]
Jack Morgenstein (1): net/mlx4: Fix irq-unsafe spinlock usage [d546b67cda015fb92bfee93d5dc0ceadb91deaee]
Jaegeuk Kim (2): f2fs: call f2fs_unlock_op after error was handled [44c16156512f33c81e382a1e1df9524e26a7026a] f2fs: go out for insert_inode_locked failure [a21c20f0c812925085204fced932ac95f2a76bf0]
James Kelly (1): ASoC: ssm2602: Replace reg_default_raw with reg_default [a01df75ce737951ad13a08d101306e88c3f57cb2]
Jan Kara (3): bdi: Fix oops in wb_workfn() [b8b784958eccbf8f51ebeee65282ca3fd59ea391] ufs: Fix possible deadlock when looking up directories [514d748f69c97a51a2645eb198ac5c6218f22ff9] ufs: Fix warning from unlock_new_inode() [12ecbb4b1d765a5076920999298d9625439dbe58]
Jann Horn (1): tcp: don't read out-of-bounds opsize [7e5a206ab686f098367b61aca989f5cdfa8114a3]
Jason Andryuk (1): HID: i2c-hid: Fix "incomplete report" noise [ef6eaf27274c0351f7059163918f3795da13199c]
Jeff Moyer (1): block_invalidatepage(): only release page if the full page was invalidated [3172485f4f8032649c144e4aafa550e1e6179332]
Jens Remus (1): scsi: zfcp: fix infinite iteration on ERP ready list [fa89adba1941e4f3b213399b81732a5c12fd9131]
Jerome Brunet (1): clk: fix mux clock documentation [fe3f338f0cb2ed4d4f06da054c21ae2f8a36ef2d]
Jimmy Assarsson (1): can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() [6ee00865ffe4e8c8ba4a68d26db53c7ec09bbb89]
Jiri Olsa (1): perf record: Put new line after target override warning [c3dec27b7f70a9ad5f777d943d51ecdfcd9824d0]
Joakim Tjernlund (3): mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block. [6510bbc88e3258631831ade49033537081950605] mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug. [46a16a2283f9e678a4e26829175e0c37a5191860] mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block. [7b70eb14392a7cf505f9b358d06c33b5af73d1e7]
Joe Jin (1): xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent [4855c92dbb7b3b85c23e88ab7ca04f99b9677b41]
Joerg Roedel (1): x86/mm: Prevent kernel Oops in PTDUMP code with HIGHPTE=y [d6ef1f194b7569af8b8397876dc9ab07649d63cb]
Johan Hovold (2): USB: serial: cp210x: add ELDAT Easywave RX09 id [1f1e82f74c0947e40144688c9e36abe4b3999f49] rfkill: gpio: fix memory leak in probe error path [4bf01ca21e2e0e4561d1a03c48c3d740418702db]
Jonathan Neuschäfer (1): net: core: dst: Add kernel-doc for 'net' parameter [8eb1a8590f5ca114fabf16ebb26a4bce0255ace9]
Julian Anastasov (3): ipv4: fix fnhe usage by non-cached routes [94720e3aee6884d8c8beb678001629da60ec6366] ipvs: fix buffer overflow with sync daemon and service [52f96757905bbf0edef47f3ee6c7c784e7f8ff8a] ipvs: fix stats update from local clients [d5e032fc5697b6c0d6b4958bcacb981a08f8174e]
Julian Wiedmann (5): s390/qdio: don't merge ERROR output buffers [0cf1e05157b9e5530dcc3ca9fec9bf617fc93375] s390/qdio: don't release memory in qdio_setup_irq() [2e68adcd2fb21b7188ba449f0fab3bee2910e500] s390/qdio: don't retry EQBS after CCQ 96 [dae55b6fef58530c13df074bcc182c096609339e] s390/qdio: fix access to uninitialized qdio_q fields [e521813468f786271a87e78e8644243bead48fad] s390/qeth: handle failure on workqueue creation [a936b1ef37ce1e996533878f4b23944f9444dcdf]
Kai-Heng Feng (2): sky2: Increase D3 delay to sky2 stops working after suspend [afb133637071be6deeb8b3d0e55593ffbf63c527] xhci: Fix USB ports for Dell Inspiron 5775 [621faf4f6a181b6e012c1d1865213f36f4159b7f]
Kamil Lulko (1): usb: core: Add quirk for HP v222w 16GB Mini [3180dabe08e3653bf0a838553905d88f3773f29c]
Kenny Yu (1): uprobe: Find last occurrence of ':' when parsing uprobe PATH:OFFSET [6496bb72bf20c1c7e4d6be44dfa663163e709116]
Kirill A. Shutemov (1): ipc/shm: handle removed segments gracefully in shm_mmap() [1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e]
Krzysztof Mazur (1): um: Use POSIX ucontext_t instead of struct ucontext [4d1a535b8ec5e74b42dfd9dc809142653b2597f6]
Kyle Roeschley (1): USB: serial: cp210x: add ID for NI USB serial console [1e23aace21515a8f7615a1de016c0ea8d4e0cc6e]
Lance Richardson (1): net: support compat 64-bit time in {s,g}etsockopt [988bf7243e03ef69238381594e0334a79cef74a6]
Leon Romanovsky (1): RDMA/mlx5: Protect from shift operand overflow [002bf2282b2d7318e444dca9ffcb994afc5d5f15]
Leonard Crestez (1): crypto: arm,arm64 - Fix random regeneration of S_shipped [6aaf49b495b446ff6eec0ac983f781ca0dc56a73]
Li RongQing (1): x86/apic: Fix signedness bug in APIC ID validity checks [a774635db5c430cbf21fa5d2f2df3d23aaa8e782]
Linus Lüssing (1): batman-adv: Fix TT sync flags for intermediate TT responses [7072337e52b3e9d5460500d8dc9cbc1ba2db084c]
Linus Torvalds (3): give up on gcc ilog2() constant optimizations [474c90156c8dcc2fa815e6716cc9394d7930cb9c] mmap: introduce sane default mmap limits [be83bbf806822b1b89e0a0f23cd87cddc409e429] mmap: relax file size limit for regular files [423913ad4ae5b3e8fb8983f70969fb522261ba26]
Liu Bo (3): Btrfs: bail out on error during replay_dir_deletes [b98def7ca6e152ee55e36863dddf6f41f12d1dc6] Btrfs: fix NULL pointer dereference in log_dir_items [80c0b4210a963e31529e15bf90519708ec947596] Btrfs: fix unexpected cow in run_delalloc_nocow [5811375325420052fcadd944792a416a43072b7f]
Long Li (1): cifs: Allocate validate negotiation request through kmalloc [2796d303e3c5ec213c578ed3a66872205c126eb8]
Maciej W. Rozycki (3): MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs [9a3a92ccfe3620743d4ae57c987dc8e9c5f88996] MIPS: ptrace: Expose FIR register through FP regset [71e909c0cdad28a1df1fa14442929e68615dee45] MIPS: ptrace: Fix PTRACE_PEEKUSR requests for 64-bit FGRs [c7e814628df65f424fe197dde73bfc67e4a244d7]
Mahesh Rajashekhara (1): scsi: sd: Defer spinning up drive while SANITIZE is in progress [505aa4b6a8834a2300971c5220c380c3271ebde3]
Major Hayden (1): USB: serial: ftdi_sio: add RT Systems VX-8 cable [9608e5c0f079390473b484ef92334dfd3431bb89]
Marc Dionne (1): afs: Ignore AFS_ACE_READ and AFS_ACE_WRITE for directories [fd2498211a551fd42b2d6b9050d649d43536e75c]
Marc Zyngier (1): KVM: arm/arm64: Close VMID generation race [f0cf47d939d0b4b4f660c5aaa4276fa3488f3391]
Marek Lindner (1): batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs [16116dac23396e73c01eeee97b102e4833a4b205]
Mark Brown (1): regmap: Support bulk reads for devices without raw formatting [d5b98eb12420ce856caaf57dc5256eedc56a3747]
Markus Elfring (2): tracing: Deletion of an unnecessary check before iput() [16a8ef2751801346f1f76a18685b2beb63cd170f] video/fbdev/stifb: Return -ENOMEM after a failed kzalloc() in stifb_init_fb() [f9815f945aff2204b8afbbb9d2182024eb44a194]
Martin K. Petersen (1): scsi: mptsas: Disable WRITE SAME [94e5395d2403c8bc2504a7cbe4c4caaacb7b8b84]
Martin Kelly (2): iio:buffer: make length types match kfifo types [c043ec1ca5baae63726aae32abbe003192bc6eec] iio:kfifo_buf: check for uint overflow [3d13de4b027d5f6276c0f9d3a264f518747d83f2]
Masami Hiramatsu (3): ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr [eb0146daefdde65665b7f076fbff7b49dade95b9] ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions [0d73c3f8e7f6ee2aab1bb350f60c180f5ae21a2c] tracing/uprobe_event: Fix strncpy corner case [50268a3d266ecfdd6c5873d62b2758d9732fc598]
Mathieu Desnoyers (1): tracepoint: Do not warn on ENOMEM [d66a270be3310d7aa132fec0cea77d3d32a0ff75]
Matt Redfearn (4): MIPS: memset.S: EVA & fault support for small_memset [8a8158c85e1e774a44fbe81106fa41138580dfd1] MIPS: memset.S: Fix clobber of v1 in last_fixup [c96eebf07692e53bf4dd5987510d8b550e793598] MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup [daf70d89f80c6e1772233da9e020114b1254e7e0] MIPS: uaccess: Add micromips clobbers to bzero invocation [b3d7e55c3f886493235bfee08e1e5a4a27cbcce8]
Matthew Auld (1): drm/i915/userptr: reject zero user_size [c11c7bfd213495784b22ef82a69b6489f8d0092f]
Matthew Wilcox (1): mm/filemap.c: fix NULL pointer in page_cache_tree_insert() [abc1be13fd113ddef5e2d807a466286b864caed3]
Mauro Carvalho Chehab (1): media: v4l2-compat-ioctl32: don't oops on overlay [85ea29f19eab56ec16ec6b92bc67305998706afa]
Michael Ellerman (1): powerpc/lib: Fix off-by-one in alternate feature patching [b8858581febb050688e276b956796bc4a78299ed]
Michael Neuling (3): powerpc/64s: Clear PCR on boot [faf37c44a105f3608115785f17cbbf3500f8bc71] powerpc/eeh: Fix enabling bridge MMIO windows [13a83eac373c49c0a081cbcd137e79210fe78acd] powerpc/eeh: Fix race with driver un/bind [f0295e047fcf52ccb42561fb7de6942f5201b676]
Michael S. Tsirkin (6): virtio: add ability to iterate over vqs [24a7e4d20783c0514850f24a5c41ede46ab058f0] virtio_console: don't tie bufs to a vq [2855b33514d290c51d52d94e25d3ef942cd4d578] virtio_console: drop custom control queue cleanup [61a8950c5c5708cf2068b29ffde94e454e528208] virtio_console: free buffers after reset [a7a69ec0d8e4a58be7db88d33cbfa2912807bb2b] virtio_console: move removal code [aa44ec867030a72e8aa127977e37dec551d8df19] virtio_console: reset on out of memory [5c60300d68da32ca77f7f978039dc72bfc78b06b]
Michal Srb (1): drm/i915/cmdparser: Do not check past the cmd length. [3aec7f871c65eb5f76b4125fda432593c834a6f2]
Mika Westerberg (2): ACPI / hotplug / PCI: Check presence of slot itself in get_slot_status() [13d3047c81505cc0fb9bdae7810676e70523c8bf] ahci: Add PCI ID for Cannon Lake PCH-LP AHCI [4544e403eb25552aed7f0ee181a7a506b8800403]
Mike Frysinger (1): vt: change SGR 21 to follow the standards [65d9982d7e523a1a8e7c9af012da0d166f72fc56]
Mike Galbraith (1): sched/autogroup: Fix 64-bit kernel nice level adjustment [83929cce95251cc77e5659bf493bd424ae0e7a67]
Mike Kravetz (1): hugetlbfs: fix bug in pgoff overflow checking [5df63c2a149ae65a9ec239e7c2af44efa6f79beb]
Mikhail Lappo (1): thermal: imx: Fix race condition in imx_thermal_probe() [cf1ba1d73a33944d8c1a75370a35434bf146b8a7]
Moshe Shemesh (1): net/mlx4_en: Verify coalescing parameters are in range [6ad4e91c6d796b38a7f0e724db1de28eeb122bad]
Nicholas Piggin (5): powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently [0bfdf598900fd62869659f360d3387ed80eb71cf] powerpc/powernv: Fix NVRAM sleep in invalid context when crashing [c1d2a31397ec51f0370f6bd17b19b39152c263cb] powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops [3b8070335f751aac9f1526ae2e012e6f5b8b0f21] powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write() [741de617661794246f84a21a02fc5e327bffc9ad] powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops [34dd25de9fe3f60bfdb31b473bf04b28262d0896]
Nico Sneck (1): drm/radeon: add PX quirk for Asus K73TK [b1550359d1eb392ee54f7cf47cffcfe0a602f6a7]
Nicolas Dichtel (1): ip_tunnel: restore binding to ifaces with a large mtu [82612de1c98e610d194e34178bde3cca7dedce41]
Nicolas Ferre (1): ARM: dts: at91: at91sam9g25: fix mux-mask pinctrl property [e8fd0adf105e132fd84545997bbef3d5edc2c9c1]
Nicolin Chen (1): ASoC: fsl_esai: Fix divisor calculation failure at lower ratio [c656941df9bc80f7ec65b92ca73c42f8b0b62628]
Nikolay Borisov (3): btrfs: Fix possible softlock on single core machines [1e1c50a929bc9e49bc3f9935b92450d9e69f8158] btrfs: Handle error from btrfs_uuid_tree_rem call in _btrfs_ioctl_set_received_subvol [d87ff75863e92a500538ab53318c5740f196631e] btrfs: Refactor transaction handling in received subvolume ioctl [efd38150af45375b46576d0110a323d7fab7e142]
Ondrej Zary (2): Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad [04bb1719c4de94700056241d4c0fe3c1413f5aff] drm/i915: Disable LVDS on Radiant P845 [7f7105f99b75aca4f8c2a748ed6b82c7f8be3293]
Paolo Abeni (2): netfilter: ebtables: handle string from userspace with care [94c752f99954797da583a84c4907ff19e92550a4] team: avoid adding twice the same option to the event list [4fb0534fb7bbc2346ba7d3a072b538007f4135a5]
Paul Parsons (1): drm/radeon: Fix PCIe lane width calculation [85e290d92b4b794d0c758c53007eb4248d385386]
Peng Hao (1): kvm: x86: fix a compile warning [3140c156e919b0f5fad5c5f6cf7876c39d1d4f06]
Peter Rosin (3): i2c: pmcmsp: fix error return from master_xfer [12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b] i2c: pmcmsp: return message count on master_xfer success [de9a8634f1cb4560a35696d472cc7f1383d9b866] i2c: viperboard: return message count on master_xfer success [35cd67a0caf767aba472452865dcb4471fcce2b1]
Peter Zijlstra (5): clocksource: Initialize cs->wd_list [5b9e886a4af97574ca3ce1147f35545da0e7afc7] perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* [ef9ee4ad38445a30909c48998624861716f2a994] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() [46b1b577229a091b137831becaa0fae8690ee15a] sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] [354d7793070611b4df5a79fbb0f12752d0ed0cc5] sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] [7281c8dec8a87685cb54d503d8cceef5a0fc2fdd]
Piaojun (1): ocfs2/dlm: wait for dlm recovery done when migrating all lock resources [60c7ec9ee4a3410c2cb08850102d363c7e207f48]
Prakash Kamliya (1): drm/msm: fix leak in failed get_pages [62e3a3e342af3c313ab38603811ecdb1fcc79edb]
Qu Wenruo (1): btrfs: tests/qgroup: Fix wrong tree backref level [3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a]
Raju Rangoju (1): RDMA/cxgb4: release hw resources on device removal [26bff1bd74a4f7417509a83295614e9dab995b2a]
Rasmus Villemoes (1): drivers: tty: Merge alloc_tty_struct and initialize_tty_struct [2c964a2f4191f2229566895f1a0e85f8339f5dd1]
Ravi Chandra Sadineni (1): USB: Increment wakeup count on remote wakeup. [83a62c51ba7b3c0bf45150c4eac7aefc6c785e94]
Richard Weinberger (2): ubi: Reject MLC NAND [b5094b7f135be34630e3ea8a98fa215715d0f29d] ubifs: Check ubifs_wbuf_sync() return code [aac17948a7ce01fb60b9ee6cf902967a47b3ce26]
Robbie Ko (1): Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting [6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2]
Rodrigo Rivas Costa (1): HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device [a955358d54695e4ad9f7d6489a7ac4d69a8fc711]
Roland Dreier (3): RDMA/ucma: Allow resolving address w/o specifying source address [09abfe7b5b2f442a85f4c4d59ecf582ad76088d7] RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device [8435168d50e66fa5eae01852769d20a36f9e5e83] RDMA/ucma: Introduce safer rdma_addr_size() variants [84652aefb347297aa08e91e283adf7b18f77c2d5]
Romain Izard (1): ubi: Fix error for write access [78a8dfbabbece22bee58ac4cb26cab10e7a19c5d]
Ronnie Sahlberg (1): cifs: fix memory leak in SMB2_open() [b7a73c84eb96dabd6bb8e9d7c56f796d83efee8e]
Russell King (1): ARM: keystone: fix platform_domain_notifier array overrun [9954b80b8c0e8abc98e17bba0fccd9876211ceaa]
SZ Lin (1): NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 [9306b38e42cb266f98bff6f6f4c1c652aa79ba45]
Sachin Grover (1): selinux: KASAN: slab-out-of-bounds in xattr_getsecurity [efe3de79e0b52ca281ef6691480c8c68c82a4657]
Sean Young (1): media: rc: oops in ir_timer_keyup after device unplug [8d4068810d9926250dd2435719a080b889eb44c3]
Sebastian Ott (1): s390/cio: update chpid descriptor after resource accessibility event [af2e460ade0b0180d0f3812ca4f4f59cc9597f3e]
Sekhar Nori (1): ARM: davinci: board-dm646x-evm: set VPIF capture card name [bb7298a7e87cf3430eb62be8746e5d7a07ca9d7c]
Sergei Shtylyov (1): drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen2 [8525d04ba8a6a9ecfa4bd619c988ca873a5fc2a4]
Shamir Rabinovitch (1): RDMA/ucma: ucma_context reference leak in error path [ef95a90ae6f4f21990e1f7ced6719784a409e811]
Shuah Khan (2): usbip: vhci_hcd: Fix usb device and sockfd leaks [9020a7efe537856eb3e826ebebdf38a5d07a7857] usbip: vhci_hcd: check rhport before using in vhci_hub_control() [5b22f676118ff25049382041da0db8012e57c9e8]
Song Liu (1): tracing: Fix bad use of igrab in trace_uprobe.c [0c92c7a3c5d416f47b32c5f20a611dfeca5d5f2e]
Stefan Brüns (1): drm/i915: Try EDID bitbanging on HDMI after failed read [cfb926e148e99acc02351d72e8b85e32b5f786ef]
Stefan Haberland (1): s390/dasd: fix IO error for newly defined devices [5d27a2bf6e14f5c7d1033ad1e993fcd0eba43e83]
Steve French (2): cifs: do not allow creating sockets except with SMB1 posix exensions [1d0cffa674cfa7d185a302c8c6850fc50b893bed] smb3: directory sync should not return an error [6e70c267e68d77679534dcf4aaf84e66f2cf1425]
Steven Rostedt (3): tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all} [45dd9b0666a162f8e4be76096716670cf1741f0e] tracing: Fix crash when freeing instances with event triggers [86b389ff22bd6ad8fd3cb98e41cd271886c6d023] tracing: Fix regex_match_front() to not over compare the test string [dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d]
Sudhir Sreedharan (1): rtl8187: Fix NULL pointer dereference in priv->conf_mutex [7972326a26b5bf8dc2adac575c4e03ee7e9d193a]
Sudip Mukherjee (1): libata: blacklist Micron 500IT SSD with MU01 firmware [136d769e0b3475d71350aa3648a116a6ee7a8f6c]
Sven Eckelmann (1): batman-adv: Avoid race in TT TVLV allocator helper [8ba0f9bd3bdea1058c2b2676bec7905724418e40]
Takashi Iwai (21): ALSA: aloop: Add missing cable lock to ctl API callbacks [76b3421b39bd610546931fc923edcf90c18fa395] ALSA: asihpi: Hardening for potential Spectre v1 [f9d94b57e30fd1575b4935045b32d738668aa74b] ALSA: control: Hardening for potential Spectre v1 [088e861edffb84879cf0c0d1b02eda078c3a0ffe] ALSA: hda: Hardening for potential Spectre v1 [69fa6f19b95597618ab30438a27b67ad93daa7c7] ALSA: hdspm: Hardening for potential Spectre v1 [10513142a7114d251670361ad40cba2c61403406] ALSA: opl3: Hardening for potential Spectre v1 [7f054a5bee0987f1e2d4e59daea462421c76f2cb] ALSA: pcm: Avoid potential races between OSS ioctls and read/write [02a5d6925cd34c3b774bdb8eefb057c40a30e870] ALSA: pcm: Check PCM state at xfern compat ioctl [f13876e2c33a657a71bcbb10f767c0951b165020] ALSA: pcm: Fix UAF at PCM release via PCM timer access [a820ccbe21e8ce8e86c39cd1d3bc8c7d1cbb949b] ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation [e15dc99dbb9cf99f6432e8e3c0b3a8f7a3403a86] ALSA: pcm: Fix mutex unbalance in OSS emulation ioctls [f6d297df4dd47ef949540e4a201230d0c5308325] ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams [40cab6e88cb0b6c56d3f30b7491a20e803f948f6] ALSA: pcm: Use ERESTARTSYS instead of EINTR in OSS emulation [c64ed5dd9feba193c76eb460b451225ac2a0d87b] ALSA: rawmidi: Fix missing input substream checks in compat ioctls [8a56ef4f3ffba9ebf4967b61ef600b0a7ba10f11] ALSA: rme9652: Hardening for potential Spectre v1 [f526afcd8f71945c23ce581d7864ace93de8a4f7] ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() [8f22e52528cc372b218b5f100457469615c733ce] ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device [f5e94b4c6ebdabe0f602d796e0430180927521a0] ALSA: seq: oss: Hardening for potential Spectre v1 [8d218dd8116695ecda7164f97631c069938aa22e] ALSA: timer: Call notifier in the same spinlock [f65e0d299807d8a11812845c972493c3f9a18e10] ALSA: usb-audio: Skip broken EU on Dell dock USB-audio [1d8d6428d1da642ddd75b0be2d1bb1123ff8e017] resource: fix integer overflow at reallocation [60bb83b81169820c691fbfa33a6a4aef32aa4b0b]
Tarick Bedeir (1): net/mlx4_core: Fix error handling in mlx4_init_port_info. [57f6f99fdad9984801cde05c1db68fe39b474a10]
Tejun Heo (1): libata: Blacklist some Sandisk SSDs for NCQ [322579dcc865b94b47345ad1b6002ad167f85405]
Tetsuo Handa (4): tty: Avoid possible error pointer dereference at tty_ldisc_restore(). [598c2d41ff44889dd8eced4f117403e472158d85] tty: Don't call panic() at tty_ldisc_init() [903f9db10f18f735e62ba447147b6c434b6af003] tty: Use __GFP_NOFAIL for tty_ldisc_get() [bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20] x86/kexec: Avoid double free_page() upon do_kexec_load() failure [a466ef76b815b86748d9870ef2a430af7b39c710]
Theodore Ts'o (6): ext4: add bounds checking to ext4_xattr_find_entry() [9496005d6ca4cf8f5ee8f828165a8956872dc59d] ext4: add extra checks to ext4_xattr_block_get() [54dd0e0a1b255f115f8647fc6fb93273251b01b9] ext4: don't update checksum of new initialized bitmaps [044e6e3d74a3d7103a0c8a9305dfd94d64000660] ext4: force revalidation of directory pointer after seekdir(2) [e40ff213898502d299351cc2fe1e350cd186f0d3] ext4: set h_journal if there is a failure starting a reserved handle [b2569260d55228b617bd82aba6d0db2faeeb4116] jbd2: if the journal is aborted then don't allow update of the log tail [85e0c4e89c1b864e763c4e3bb15d0b6d501ad5d9]
Thinh Nguyen (1): usb: dwc3: pci: Properly cleanup resource [cabdf83dadfb3d83eec31e0f0638a92dbd716435]
Tony Lindgren (1): net: davinci_emac: Fix runtime pm calls for davinci_emac [b5133e7a988b2cf8e1cd2b23231f36aff35ceffc]
Toshiaki Makita (1): vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi [7ce2367254e84753bceb07327aaf5c953cfce117]
Uwe Kleine-König (1): serial: altera: ensure port->regshift is honored consistently [0e254963b6ba4d63ac911e79537fea38dd03dc50]
Vasily Gorbik (1): s390/ipl: ensure loadparm valid flag is set [15deb080a6087b73089139569558965750e69d67]
Vasyl Vavrychuk (1): USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster [470b5d6f0cf4674be2d1ec94e54283a1770b6a1a]
Wei Huang (1): KVM: x86: Update cpuid properly when CR4.OSXAVE or CR4.PKE is changed [c4d2188206bafa177ea58e9a25b952baa0bf7712]
Wenwen Wang (1): ALSA: control: fix a redundant-copy issue [3f12888dfae2a48741c4caa9214885b3aaf350f9]
Willem de Bruijn (2): net: test tailroom before appending to linear skb [113f99c3358564a0647d444c2ae34e8b1abfd5b9] packet: fix bitfield update race [a6361f0ca4b25460f2cdf3235ebe8115f622901e]
Wolfgang Bumiller (1): net: fix deadlock while clearing neighbor proxy table [53b76cdf7e8fecec1d09e38aad2f8579882591a8]
Xiaoming Gao (1): x86/tsc: Prevent 32bit truncation in calc_hpet_ref() [d3878e164dcd3925a237a20e879432400e369172]
Xin Long (5): bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave [ddea788c63094f7c483783265563dd5b50052e28] sctp: do not check port in sctp_inet6_cmp_addr [1071ec9d453a38023579714b64a951a2fb982071] sctp: fix the issue that the cookie-ack with auth can't get processed [ce402f044e4e432c296f90eaabb8dbe8f3624391] sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr [d625329b06e46bd20baf9ee40847d11982569204] team: fix netconsole setup over team [9cf2f437ca5b39828984064fad213e68fc17ef11]
Yazen Ghannam (1): x86/smpboot: Don't use mwait_play_dead() on AMD systems [da6fa7ef67f07108a1b0cb9fd9e7fcaabd39c051]
Yishai Hadas (1): RDMA/mlx5: Don't assume that medium blueFlame register exists [18b0362e87dfa09e355093b897b9db854e360d28]
Zheng Yan (1): ceph: always update atime/mtime/ctime for new inode [ffdeec7aa41aa61ca4ee68fddf4669df9ce661d1]
Zhengjun Xing (1): USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw [64627388b50158fd24d6ad88132525b95a5ef573]
Łukasz Stelmach (1): ARM: 8753/1: decompressor: add a missing parameter to the addruart macro [e07e3c33b9c0b5751ade624f44325c9bf2487ea6]
Documentation/networking/ppp_generic.txt | 6 - Makefile | 4 +- arch/arc/include/asm/Kbuild | 1 + arch/arm/boot/compressed/head.S | 16 +- arch/arm/boot/compressed/misc.c | 9 +- arch/arm/boot/dts/at91sam9g25.dtsi | 2 +- arch/arm/crypto/Makefile | 2 + arch/arm/include/asm/assembler.h | 10 + arch/arm/kernel/traps.c | 5 +- arch/arm/kvm/arm.c | 15 +- arch/arm/lib/getuser.S | 4 + arch/arm/mach-davinci/board-dm646x-evm.c | 3 +- arch/arm/mach-keystone/pm_domain.c | 1 + arch/avr32/include/asm/Kbuild | 1 + arch/blackfin/include/asm/Kbuild | 1 + arch/c6x/include/asm/Kbuild | 1 + arch/cris/include/asm/Kbuild | 1 + arch/frv/include/asm/Kbuild | 1 + arch/hexagon/include/asm/Kbuild | 1 + arch/ia64/include/asm/Kbuild | 1 + arch/m32r/include/asm/Kbuild | 1 + arch/metag/include/asm/Kbuild | 1 + arch/microblaze/include/asm/Kbuild | 1 + arch/mips/include/asm/Kbuild | 1 + arch/mips/include/asm/uaccess.h | 11 +- arch/mips/kernel/ptrace.c | 24 ++- arch/mips/kernel/ptrace32.c | 6 +- arch/mips/kvm/kvm_mips.c | 2 +- arch/mips/lib/memset.S | 11 +- arch/mn10300/include/asm/Kbuild | 1 + arch/parisc/kernel/drivers.c | 4 + arch/parisc/kernel/hpmc.S | 6 +- arch/powerpc/include/asm/barrier.h | 3 +- arch/powerpc/include/asm/opal.h | 3 + arch/powerpc/include/asm/synch.h | 4 - arch/powerpc/kernel/cpu_setup_power.S | 4 + arch/powerpc/kernel/eeh_driver.c | 61 ++++-- arch/powerpc/kernel/eeh_pe.c | 3 +- arch/powerpc/lib/feature-fixups.c | 2 +- arch/powerpc/mm/hugetlbpage.c | 17 +- arch/powerpc/platforms/powernv/opal-nvram.c | 21 +- arch/s390/hypfs/inode.c | 2 +- arch/s390/include/asm/Kbuild | 1 + arch/s390/kernel/ipl.c | 1 + arch/s390/kernel/perf_cpum_sf.c | 4 + arch/score/include/asm/Kbuild | 1 + arch/tile/include/asm/Kbuild | 1 + arch/um/include/asm/Kbuild | 1 + arch/um/os-Linux/signal.c | 2 +- arch/unicore32/include/asm/Kbuild | 1 + arch/x86/boot/compressed/eboot.c | 6 +- arch/x86/crypto/cast5_avx_glue.c | 3 +- arch/x86/include/asm/apic.h | 4 +- arch/x86/include/asm/x2apic.h | 2 +- arch/x86/kernel/acpi/boot.c | 18 +- arch/x86/kernel/apic/apic_numachip.c | 2 +- arch/x86/kernel/apic/x2apic_uv_x.c | 2 +- arch/x86/kernel/cpu/perf_event.c | 8 +- arch/x86/kernel/machine_kexec_32.c | 6 +- arch/x86/kernel/machine_kexec_64.c | 4 +- arch/x86/kernel/smpboot.c | 2 + arch/x86/kernel/tsc.c | 2 +- arch/x86/kvm/x86.c | 7 +- arch/x86/mm/dump_pagetables.c | 10 +- arch/x86/net/bpf_jit_comp.c | 3 +- arch/x86/um/stub_segv.c | 2 +- arch/x86/xen/mmu.c | 6 +- arch/xtensa/include/asm/Kbuild | 1 + crypto/af_alg.c | 8 +- crypto/ahash.c | 7 +- drivers/ata/ahci.c | 1 + drivers/ata/libata-core.c | 8 + drivers/atm/zatm.c | 3 + drivers/base/regmap/regmap.c | 22 +- drivers/char/virtio_console.c | 157 +++++++------- drivers/gpu/drm/drm_fops.c | 1 + drivers/gpu/drm/i915/i915_cmd_parser.c | 80 ++++--- drivers/gpu/drm/i915/i915_drv.h | 5 + drivers/gpu/drm/i915/i915_gem_userptr.c | 3 + drivers/gpu/drm/i915/intel_hdmi.c | 14 +- drivers/gpu/drm/i915/intel_lvds.c | 11 +- drivers/gpu/drm/msm/msm_gem.c | 30 ++- drivers/gpu/drm/radeon/radeon_device.c | 15 +- drivers/gpu/drm/radeon/si_dpm.c | 4 +- drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 10 +- drivers/hid/hid-core.c | 12 +- drivers/hid/hidraw.c | 5 + drivers/hid/i2c-hid/i2c-hid.c | 13 +- drivers/hwmon/nct6683.c | 4 +- drivers/hwmon/nct6775.c | 10 +- drivers/hwmon/pmbus/adm1275.c | 4 +- drivers/hwmon/pmbus/max8688.c | 2 +- drivers/i2c/busses/i2c-pmcmsp.c | 4 +- drivers/i2c/busses/i2c-viperboard.c | 2 +- drivers/iio/kfifo_buf.c | 11 +- drivers/infiniband/core/addr.c | 16 ++ drivers/infiniband/core/iwpm_util.c | 5 +- drivers/infiniband/core/ucma.c | 43 ++-- drivers/infiniband/hw/cxgb4/cq.c | 11 +- drivers/infiniband/hw/cxgb4/device.c | 8 + drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 6 +- drivers/infiniband/hw/cxgb4/qp.c | 4 +- drivers/infiniband/hw/cxgb4/resource.c | 26 ++- drivers/infiniband/hw/mlx5/qp.c | 39 ++-- drivers/infiniband/ulp/srp/ib_srp.c | 8 +- drivers/input/serio/i8042-x86ia64io.h | 24 +++ drivers/media/pci/cx25821/cx25821-core.c | 7 +- drivers/media/platform/s3c-camif/camif-capture.c | 7 +- drivers/media/rc/rc-main.c | 4 +- drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +- drivers/message/fusion/mptsas.c | 1 + drivers/mmc/host/jz4740_mmc.c | 2 +- drivers/mtd/chips/cfi_cmdset_0001.c | 33 ++- drivers/mtd/chips/cfi_cmdset_0002.c | 9 +- drivers/mtd/ubi/block.c | 2 +- drivers/mtd/ubi/build.c | 11 + drivers/net/bonding/bond_main.c | 3 +- drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/net/ethernet/broadcom/bcmsysport.c | 11 +- drivers/net/ethernet/broadcom/genet/bcmgenet.c | 11 +- drivers/net/ethernet/cisco/enic/enic_main.c | 8 +- drivers/net/ethernet/marvell/sky2.c | 2 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 ++ drivers/net/ethernet/mellanox/mlx4/main.c | 4 +- drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 +- drivers/net/ethernet/mellanox/mlx4/qp.c | 4 +- drivers/net/ethernet/ti/cpsw.c | 13 +- drivers/net/ethernet/ti/davinci_cpdma.c | 2 +- drivers/net/ethernet/ti/davinci_emac.c | 62 ++++-- drivers/net/ppp/ppp_generic.c | 136 +++++++----- drivers/net/ppp/pppoe.c | 4 + drivers/net/team/team.c | 38 +++- drivers/net/usb/qmi_wwan.c | 13 ++ drivers/net/vmxnet3/vmxnet3_drv.c | 137 ++++++++---- drivers/net/vmxnet3/vmxnet3_int.h | 8 +- drivers/net/wireless/rtl818x/rtl8187/dev.c | 2 +- drivers/parport/parport_pc.c | 4 + drivers/pci/hotplug/acpiphp_glue.c | 23 +- drivers/pci/quirks.c | 13 ++ drivers/pinctrl/pinctrl-single.c | 22 +- drivers/rtc/rtc-snvs.c | 15 +- drivers/rtc/rtc-tx4939.c | 6 +- drivers/s390/block/dasd_alias.c | 16 +- drivers/s390/cio/chsc.c | 14 +- drivers/s390/cio/qdio_main.c | 42 ++-- drivers/s390/cio/qdio_setup.c | 12 +- drivers/s390/net/qeth_core_main.c | 8 +- drivers/s390/scsi/zfcp_dbf.c | 23 +- drivers/s390/scsi/zfcp_ext.h | 5 +- drivers/s390/scsi/zfcp_scsi.c | 14 +- drivers/scsi/qla2xxx/qla_init.c | 3 +- drivers/scsi/sd.c | 2 + drivers/staging/line6/midi.c | 2 +- drivers/staging/rtl8192u/r8192U_core.c | 2 + drivers/staging/usbip/usbip_common.h | 2 +- drivers/staging/usbip/vhci_hcd.c | 8 +- drivers/thermal/imx_thermal.c | 19 +- drivers/tty/Makefile | 3 +- drivers/tty/n_null.c | 80 +++++++ drivers/tty/pty.c | 19 +- drivers/tty/serial/altera_uart.c | 6 +- drivers/tty/serial/arc_uart.c | 8 +- drivers/tty/serial/fsl_lpuart.c | 4 + drivers/tty/serial/imx.c | 6 + drivers/tty/serial/mxs-auart.c | 5 + drivers/tty/serial/pxa.c | 4 + drivers/tty/serial/xilinx_uartps.c | 2 +- drivers/tty/tty_io.c | 42 ++-- drivers/tty/tty_ldisc.c | 68 +++--- drivers/tty/vt/vt.c | 6 +- drivers/usb/core/config.c | 4 +- drivers/usb/core/generic.c | 9 +- drivers/usb/core/hcd.c | 1 + drivers/usb/core/hub.c | 10 +- drivers/usb/core/quirks.c | 3 + drivers/usb/dwc3/dwc3-pci.c | 2 +- drivers/usb/host/xhci-pci.c | 5 +- drivers/usb/musb/musb_gadget_ep0.c | 14 +- drivers/usb/musb/musb_host.c | 4 +- drivers/usb/serial/Kconfig | 1 + drivers/usb/serial/cp210x.c | 2 + drivers/usb/serial/ftdi_sio.c | 5 +- drivers/usb/serial/ftdi_sio_ids.h | 9 + drivers/usb/serial/usb-serial-simple.c | 7 + drivers/usb/serial/visor.c | 69 +++--- drivers/video/fbdev/stifb.c | 2 +- drivers/watchdog/f71808e_wdt.c | 2 +- drivers/xen/swiotlb-xen.c | 2 +- drivers/xen/xen-acpi-processor.c | 6 +- fs/affs/namei.c | 10 +- fs/afs/security.c | 13 +- fs/aio.c | 7 +- fs/autofs4/root.c | 2 +- fs/btrfs/ctree.c | 16 +- fs/btrfs/extent-tree.c | 1 + fs/btrfs/inode.c | 231 +++++++++++++------- fs/btrfs/ioctl.c | 22 +- fs/btrfs/tests/qgroup-tests.c | 2 +- fs/btrfs/tree-log.c | 12 +- fs/buffer.c | 2 +- fs/ceph/inode.c | 10 +- fs/cifs/cifsfs.c | 13 ++ fs/cifs/dir.c | 9 +- fs/cifs/smb2pdu.c | 49 +++-- fs/dcache.c | 22 ++ fs/ecryptfs/inode.c | 3 +- fs/ext2/inode.c | 10 - fs/ext2/namei.c | 6 +- fs/ext3/namei.c | 6 +- fs/ext4/balloc.c | 3 +- fs/ext4/dir.c | 8 +- fs/ext4/ialloc.c | 43 +--- fs/ext4/indirect.c | 5 +- fs/ext4/namei.c | 6 +- fs/ext4/xattr.c | 86 +++++--- fs/ext4/xattr.h | 11 + fs/f2fs/f2fs.h | 1 + fs/f2fs/gc.c | 2 +- fs/f2fs/inode.c | 23 ++ fs/f2fs/namei.c | 52 ++--- fs/fs-writeback.c | 2 +- fs/hugetlbfs/inode.c | 10 +- fs/jbd2/journal.c | 5 +- fs/jbd2/transaction.c | 1 + fs/jffs2/dir.c | 12 +- fs/jffs2/super.c | 2 +- fs/jfs/namei.c | 12 +- fs/namespace.c | 3 +- fs/nilfs2/namei.c | 6 +- fs/notify/fanotify/fanotify.c | 34 ++- fs/ocfs2/dlm/dlmcommon.h | 1 + fs/ocfs2/dlm/dlmdomain.c | 15 ++ fs/ocfs2/dlm/dlmrecovery.c | 13 +- fs/proc/proc_sysctl.c | 3 + fs/reiserfs/journal.c | 2 +- fs/reiserfs/namei.c | 12 +- fs/ubifs/super.c | 14 +- fs/udf/ialloc.c | 7 +- fs/udf/namei.c | 106 ++++----- fs/ufs/ialloc.c | 6 +- fs/ufs/namei.c | 14 +- include/asm-generic/word-at-a-time.h | 80 ++++++- include/linux/clk-provider.h | 3 +- include/linux/dcache.h | 1 + include/linux/efi.h | 8 +- include/linux/hid.h | 4 +- include/linux/iio/buffer.h | 6 +- include/linux/log2.h | 13 +- include/linux/msg.h | 4 +- include/linux/mtd/flashchip.h | 1 + include/linux/shm.h | 4 +- include/linux/string.h | 3 + include/linux/tty.h | 6 +- include/linux/virtio.h | 3 + include/net/dst.h | 1 + include/net/inet_timewait_sock.h | 1 + include/net/nexthop.h | 2 +- include/rdma/ib_addr.h | 2 + include/sound/control.h | 7 +- include/sound/pcm_oss.h | 1 + include/trace/events/xen.h | 16 -- include/uapi/linux/ppp-ioctl.h | 2 +- include/uapi/linux/tty.h | 1 + ipc/msg.c | 19 +- ipc/msgutil.c | 2 +- ipc/sem.c | 38 ++-- ipc/shm.c | 116 +++++++--- ipc/util.c | 9 + ipc/util.h | 11 + kernel/resource.c | 3 +- kernel/sched/auto_group.c | 9 +- kernel/sched/core.c | 3 + kernel/sys.c | 4 + kernel/time/clocksource.c | 2 + kernel/time/tick-broadcast.c | 8 + kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_events_trigger.c | 5 +- kernel/trace/trace_uprobe.c | 32 ++- kernel/tracepoint.c | 4 +- lib/string.c | 88 ++++++++ mm/filemap.c | 7 +- mm/mmap.c | 32 +++ net/atm/lec.c | 9 +- net/batman-adv/translation-table.c | 93 ++++++-- net/bridge/netfilter/ebtables.c | 3 +- net/ceph/messenger.c | 7 + net/compat.c | 6 +- net/core/dev.c | 3 +- net/core/dev_addr_lists.c | 4 +- net/core/neighbour.c | 30 ++- net/core/skbuff.c | 1 + net/dccp/ccids/ccid2.c | 14 +- net/dccp/timer.c | 2 +- net/dns_resolver/dns_key.c | 14 +- net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/ip_output.c | 3 +- net/ipv4/ip_tunnel.c | 17 +- net/ipv4/ping.c | 7 +- net/ipv4/route.c | 118 +++++----- net/ipv4/tcp.c | 8 +- net/ipv4/tcp_input.c | 7 +- net/ipv4/tcp_output.c | 7 +- net/ipv4/udp.c | 7 +- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_output.c | 3 +- net/ipv6/ip6_tunnel.c | 8 +- net/ipv6/ip6_vti.c | 7 +- net/ipv6/route.c | 2 + net/ipv6/sit.c | 8 +- net/ipv6/xfrm6_policy.c | 2 +- net/l2tp/l2tp_core.c | 260 ++++++++++------------- net/l2tp/l2tp_core.h | 7 +- net/l2tp/l2tp_debugfs.c | 18 +- net/l2tp/l2tp_netlink.c | 28 ++- net/l2tp/l2tp_ppp.c | 43 +++- net/llc/af_llc.c | 17 +- net/netfilter/ipvs/ip_vs_core.c | 8 + net/netfilter/ipvs/ip_vs_ctl.c | 15 +- net/netfilter/ipvs/ip_vs_sync.c | 10 +- net/netfilter/nf_tables_api.c | 59 ++--- net/netlink/af_netlink.c | 2 + net/packet/af_packet.c | 86 +++++--- net/packet/internal.h | 10 +- net/rfkill/rfkill-gpio.c | 7 +- net/sched/sch_fq.c | 37 ++-- net/sctp/inqueue.c | 2 +- net/sctp/ipv6.c | 65 +++--- net/sunrpc/rpc_pipe.c | 1 + security/selinux/ss/services.c | 2 +- sound/core/control_compat.c | 3 +- sound/core/oss/pcm_oss.c | 186 ++++++++++++---- sound/core/pcm.c | 8 +- sound/core/pcm_compat.c | 2 + sound/core/pcm_native.c | 1 + sound/core/rawmidi_compat.c | 18 +- sound/core/seq/oss/seq_oss_event.c | 15 +- sound/core/seq/oss/seq_oss_midi.c | 2 + sound/core/seq/oss/seq_oss_synth.c | 85 ++++---- sound/core/seq/oss/seq_oss_synth.h | 3 +- sound/core/seq/seq_virmidi.c | 4 +- sound/core/timer.c | 222 +++++++++---------- sound/drivers/aloop.c | 17 +- sound/drivers/opl3/opl3_synth.c | 7 +- sound/pci/asihpi/hpimsginit.c | 39 ++-- sound/pci/asihpi/hpioctl.c | 4 +- sound/pci/hda/hda_hwdep.c | 12 +- sound/pci/rme9652/hdspm.c | 24 ++- sound/pci/rme9652/rme9652.c | 6 +- sound/soc/codecs/ssm2602.c | 19 +- sound/soc/fsl/fsl_esai.c | 7 + sound/usb/mixer.c | 8 + sound/usb/mixer_maps.c | 3 + tools/perf/Documentation/perf-top.txt | 3 + tools/perf/builtin-record.c | 2 +- 354 files changed, 3603 insertions(+), 1941 deletions(-)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Major Hayden major@mhtx.net
commit 9608e5c0f079390473b484ef92334dfd3431bb89 upstream.
This patch adds a device ID for the RT Systems cable used to program Yaesu VX-8R/VX-8DR handheld radios. It uses the main FTDI VID instead of the common RT Systems VID.
Signed-off-by: Major Hayden major@mhtx.net Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/ftdi_sio.c | 1 + drivers/usb/serial/ftdi_sio_ids.h | 3 +++ 2 files changed, 4 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -786,6 +786,7 @@ static const struct usb_device_id id_tab .driver_info = (kernel_ulong_t)&ftdi_NDI_device_quirk }, { USB_DEVICE(TELLDUS_VID, TELLDUS_TELLSTICK_PID) }, { USB_DEVICE(NOVITUS_VID, NOVITUS_BONO_E_PID) }, + { USB_DEVICE(FTDI_VID, RTSYSTEMS_USB_VX8_PID) }, { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_S03_PID) }, { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_59_PID) }, { USB_DEVICE(RTSYSTEMS_VID, RTSYSTEMS_USB_57A_PID) }, --- a/drivers/usb/serial/ftdi_sio_ids.h +++ b/drivers/usb/serial/ftdi_sio_ids.h @@ -922,6 +922,9 @@ /* * RT Systems programming cables for various ham radios */ +/* This device uses the VID of FTDI */ +#define RTSYSTEMS_USB_VX8_PID 0x9e50 /* USB-VX8 USB to 7 pin modular plug for Yaesu VX-8 radio */ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ #define RTSYSTEMS_USB_S03_PID 0x9001 /* RTS-03 USB to Serial Adapter */ #define RTSYSTEMS_USB_59_PID 0x9e50 /* USB-59 USB to 8 pin plug */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Kelly jamespeterkelly@gmail.com
commit a01df75ce737951ad13a08d101306e88c3f57cb2 upstream.
SSM2602 driver is broken on recent kernels (at least since 4.9). User space applications such as amixer or alsamixer get EIO when attempting to access codec controls via the relevant IOCTLs.
Root cause of these failures is the regcache_hw_init function in drivers/base/regmap/regcache.c, which prevents regmap cache initalization from the reg_defaults_raw element of the regmap_config structure when registers are write only. It also disables the regmap cache entirely when all registers are write only or volatile as is the case for the SSM2602 driver.
Using the reg_defaults element of the regmap_config structure rather than the reg_defaults_raw element to initalize the regmap cache avoids the logic in the regcache_hw_init function entirely. It also makes this driver consistent with other ASoC codec drivers, as this driver was the ONLY codec driver that used the reg_defaults_raw element to initalize the cache.
Tested on Digilent Zybo Z7 development board which has a SSM2603 codec chip connected to a Xilinx Zynq SoC.
Signed-off-by: James Kelly jamespeterkelly@gmail.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/soc/codecs/ssm2602.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-)
--- a/sound/soc/codecs/ssm2602.c +++ b/sound/soc/codecs/ssm2602.c @@ -54,10 +54,17 @@ struct ssm2602_priv { * using 2 wire for device control, so we cache them instead. * There is no point in caching the reset register */ -static const u16 ssm2602_reg[SSM2602_CACHEREGNUM] = { - 0x0097, 0x0097, 0x0079, 0x0079, - 0x000a, 0x0008, 0x009f, 0x000a, - 0x0000, 0x0000 +static const struct reg_default ssm2602_reg[SSM2602_CACHEREGNUM] = { + { .reg = 0x00, .def = 0x0097 }, + { .reg = 0x01, .def = 0x0097 }, + { .reg = 0x02, .def = 0x0079 }, + { .reg = 0x03, .def = 0x0079 }, + { .reg = 0x04, .def = 0x000a }, + { .reg = 0x05, .def = 0x0008 }, + { .reg = 0x06, .def = 0x009f }, + { .reg = 0x07, .def = 0x000a }, + { .reg = 0x08, .def = 0x0000 }, + { .reg = 0x09, .def = 0x0000 } };
@@ -629,8 +636,8 @@ const struct regmap_config ssm2602_regma .volatile_reg = ssm2602_register_volatile,
.cache_type = REGCACHE_RBTREE, - .reg_defaults_raw = ssm2602_reg, - .num_reg_defaults_raw = ARRAY_SIZE(ssm2602_reg), + .reg_defaults = ssm2602_reg, + .num_reg_defaults = ARRAY_SIZE(ssm2602_reg), }; EXPORT_SYMBOL_GPL(ssm2602_regmap_config);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Olsa jolsa@kernel.org
commit c3dec27b7f70a9ad5f777d943d51ecdfcd9824d0 upstream.
There's no new-line after target-override warning, now:
$ perf record -a --per-thread Warning: SYSTEM/CPU switch overriding PER-THREAD^C[ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.705 MB perf.data (2939 samples) ]
with patch:
$ perf record -a --per-thread Warning: SYSTEM/CPU switch overriding PER-THREAD ^C[ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.705 MB perf.data (2939 samples) ]
Signed-off-by: Jiri Olsa jolsa@kernel.org Tested-by: Arnaldo Carvalho de Melo acme@redhat.com Cc: Alexander Shishkin alexander.shishkin@linux.intel.com Cc: David Ahern dsahern@gmail.com Cc: Namhyung Kim namhyung@kernel.org Cc: Peter Zijlstra peterz@infradead.org Fixes: 16ad2ffb822c ("perf tools: Introduce perf_target__strerror()") Link: http://lkml.kernel.org/r/20180206181813.10943-3-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- tools/perf/builtin-record.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/perf/builtin-record.c +++ b/tools/perf/builtin-record.c @@ -942,7 +942,7 @@ int cmd_record(int argc, const char **ar err = target__validate(&rec->opts.target); if (err) { target__strerror(&rec->opts.target, err, errbuf, BUFSIZ); - ui__warning("%s", errbuf); + ui__warning("%s\n", errbuf); }
err = target__parse_uid(&rec->opts.target);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit e7d75e18d0fc3f7193b65282b651f980c778d935 upstream.
The cdns_uart_port[] array is indexed using a value derived from the "serialN" alias in DT, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Reviewed-by: Michal Simek michal.simek@xilinx.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/xilinx_uartps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/xilinx_uartps.c +++ b/drivers/tty/serial/xilinx_uartps.c @@ -1007,7 +1007,7 @@ static struct uart_port *cdns_uart_get_p struct uart_port *port;
/* Try the given port id if failed use default method */ - if (cdns_uart_port[id].mapbase != 0) { + if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) { /* Find the next unused port */ for (id = 0; id < CDNS_UART_NR_PORTS; id++) if (cdns_uart_port[id].mapbase == 0)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit 347876ad47b9923ce26e686173bbf46581802ffa upstream.
The shifting of buf[5] by 24 bits to the left will be promoted to a 32 bit signed int and then sign-extended to an unsigned long. If the top bit of buf[5] is set then all then all the upper bits sec end up as also being set because of the sign-extension. Fix this by casting buf[5] to an unsigned long before the shift.
Detected by CoverityScan, CID#1465292 ("Unintended sign extension")
Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver") Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: Alexandre Belloni alexandre.belloni@bootlin.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/rtc/rtc-tx4939.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/rtc/rtc-tx4939.c +++ b/drivers/rtc/rtc-tx4939.c @@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d for (i = 2; i < 6; i++) buf[i] = __raw_readl(&rtcreg->dat); spin_unlock_irq(&pdata->lock); - sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; + sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | + (buf[3] << 8) | buf[2]; rtc_time_to_tm(sec, tm); return rtc_valid_tm(tm); } @@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0; alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0; spin_unlock_irq(&pdata->lock); - sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; + sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | + (buf[3] << 8) | buf[2]; rtc_time_to_tm(sec, &alrm->time); return rtc_valid_tm(&alrm->time); }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Lechner david@lechnology.com
commit 45dcb54f014d3d1f5cc3919b5f0c97087d7cb3dd upstream.
This fixes pcs_request_gpio() in the pinctrl-single driver when bits_per_mux != 0. It appears this was overlooked when the multiple pins per register feature was added.
Fixes: 4e7e8017a80e ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules") Signed-off-by: David Lechner david@lechnology.com Acked-by: Tony Lindgren tony@atomide.com Signed-off-by: Linus Walleij linus.walleij@linaro.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/pinctrl/pinctrl-single.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-)
--- a/drivers/pinctrl/pinctrl-single.c +++ b/drivers/pinctrl/pinctrl-single.c @@ -562,9 +562,25 @@ static int pcs_request_gpio(struct pinct || pin < frange->offset) continue; mux_bytes = pcs->width / BITS_PER_BYTE; - data = pcs->read(pcs->base + pin * mux_bytes) & ~pcs->fmask; - data |= frange->gpiofunc; - pcs->write(data, pcs->base + pin * mux_bytes); + + if (pcs->bits_per_mux) { + int byte_num, offset, pin_shift; + + byte_num = (pcs->bits_per_pin * pin) / BITS_PER_BYTE; + offset = (byte_num / mux_bytes) * mux_bytes; + pin_shift = pin % (pcs->width / pcs->bits_per_pin) * + pcs->bits_per_pin; + + data = pcs->read(pcs->base + offset); + data &= ~(pcs->fmask << pin_shift); + data |= frange->gpiofunc << pin_shift; + pcs->write(data, pcs->base + offset); + } else { + data = pcs->read(pcs->base + pin * mux_bytes); + data &= ~pcs->fmask; + data |= frange->gpiofunc; + pcs->write(data, pcs->base + pin * mux_bytes); + } break; } return 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leonard Crestez leonard.crestez@nxp.com
commit 6aaf49b495b446ff6eec0ac983f781ca0dc56a73 upstream.
The decision to rebuild .S_shipped is made based on the relative timestamps of .S_shipped and .pl files but git makes this essentially random. This means that the perl script might run anyway (usually at most once per checkout), defeating the whole purpose of _shipped.
Fix by skipping the rule unless explicit make variables are provided: REGENERATE_ARM_CRYPTO or REGENERATE_ARM64_CRYPTO.
This can produce nasty occasional build failures downstream, for example for toolchains with broken perl. The solution is minimally intrusive to make it easier to push into stable.
Another report on a similar issue here: https://lkml.org/lkml/2018/3/8/1379
Signed-off-by: Leonard Crestez leonard.crestez@nxp.com Reviewed-by: Masahiro Yamada yamada.masahiro@socionext.com Acked-by: Ard Biesheuvel ard.biesheuvel@linaro.org Signed-off-by: Herbert Xu herbert@gondor.apana.org.au [bwh: Backported to 3.16: Only arm has this problem] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/arm/crypto/Makefile +++ b/arch/arm/crypto/Makefile @@ -10,10 +10,12 @@ aes-arm-y := aes-armv4.o aes_glue.o aes-arm-bs-y := aesbs-core.o aesbs-glue.o sha1-arm-y := sha1-armv4-large.o sha1_glue.o
+ifdef REGENERATE_ARM_CRYPTO quiet_cmd_perl = PERL $@ cmd_perl = $(PERL) $(<) > $(@)
$(src)/aesbs-core.S_shipped: $(src)/bsaes-armv7.pl $(call cmd,perl) +endif
.PRECIOUS: $(obj)/aesbs-core.S
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax ckeepax@opensource.cirrus.com
commit 9ae27a8d1f3ebff09191fb8cb1341414547293b2 upstream.
A bulk read can be implemented either through regmap_raw_read, or by reading each register individually using regmap_read. Both regmap_read and regmap_bulk_read should return values in native endian. In the individual case the current implementation calls format_val to put the data into the output array, which can cause endian issues. The regmap_read will have already converted the data into native endian, if the hosts endian differs from the device then format_val will switch the endian back again.
Rather than using format_val simply use the code that is called if there is no format_val function. This code supports all cases except 24-bit but there don't appear to be any users of regmap_bulk_read for 24-bit. Additionally, it would have to be a big endian host for the old code to actually function correctly anyway.
Fixes: 15b8d2c41fe5 ("regmap: Fix regmap_bulk_read in BE mode") Reported-by: David Rhodes david.rhodes@cirrus.com Signed-off-by: Charles Keepax ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown broonie@kernel.org [bwh: Backported to 3.16: - 64-bit I/O is not supported - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -2240,39 +2240,30 @@ int regmap_bulk_read(struct regmap *map, for (i = 0; i < val_count * val_bytes; i += val_bytes) map->format.parse_inplace(val + i); } else { + u32 *u32 = val; + u16 *u16 = val; + u8 *u8 = val; + for (i = 0; i < val_count; i++) { unsigned int ival; + ret = regmap_read(map, reg + (i * map->reg_stride), &ival); if (ret != 0) return ret;
- if (map->format.format_val) { - map->format.format_val(val + (i * val_bytes), ival, 0); - } else { - /* Devices providing read and write - * operations can use the bulk I/O - * functions if they define a val_bytes, - * we assume that the values are native - * endian. - */ - u32 *u32 = val; - u16 *u16 = val; - u8 *u8 = val; - - switch (map->format.val_bytes) { - case 4: - u32[i] = ival; - break; - case 2: - u16[i] = ival; - break; - case 1: - u8[i] = ival; - break; - default: - return -EINVAL; - } + switch (map->format.val_bytes) { + case 4: + u32[i] = ival; + break; + case 2: + u16[i] = ival; + break; + case 1: + u8[i] = ival; + break; + default: + return -EINVAL; } } }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Ma aaron.ma@canonical.com
commit 6de0b13cc0b4ba10e98a9263d7a83b940720b77a upstream.
When size is negative, calling memset will make segment fault. Declare the size as type u32 to keep memset safe.
size in struct hid_report is unsigned, fix return type of hid_report_len to u32.
Signed-off-by: Aaron Ma aaron.ma@canonical.com Signed-off-by: Jiri Kosina jkosina@suse.cz [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/hid-core.c | 10 +++++----- include/linux/hid.h | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1284,7 +1284,7 @@ void hid_output_report(struct hid_report } EXPORT_SYMBOL_GPL(hid_output_report);
-static int hid_report_len(struct hid_report *report) +static u32 hid_report_len(struct hid_report *report) { /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */ return ((report->size - 1) >> 3) + 1 + (report->id > 0); @@ -1300,7 +1300,7 @@ u8 *hid_alloc_report_buf(struct hid_repo * of implement() working on 8 byte chunks */
- int len = hid_report_len(report) + 7; + u32 len = hid_report_len(report) + 7;
return kmalloc(len, flags); } @@ -1365,7 +1365,7 @@ void __hid_request(struct hid_device *hi { char *buf; int ret; - int len; + u32 len;
buf = hid_alloc_report_buf(report, GFP_KERNEL); if (!buf) @@ -1391,14 +1391,14 @@ out: } EXPORT_SYMBOL_GPL(__hid_request);
-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, +int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt) { struct hid_report_enum *report_enum = hid->report_enum + type; struct hid_report *report; struct hid_driver *hdrv; unsigned int a; - int rsize, csize = size; + u32 rsize, csize = size; u8 *cdata = data; int ret = 0;
@@ -1456,7 +1456,7 @@ EXPORT_SYMBOL_GPL(hid_report_raw_event); * * This is data entry for lower layers. */ -int hid_input_report(struct hid_device *hid, int type, u8 *data, int size, int interrupt) +int hid_input_report(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt) { struct hid_report_enum *report_enum; struct hid_driver *hdrv; --- a/include/linux/hid.h +++ b/include/linux/hid.h @@ -757,7 +757,7 @@ extern int hidinput_connect(struct hid_d extern void hidinput_disconnect(struct hid_device *);
int hid_set_field(struct hid_field *, unsigned, __s32); -int hid_input_report(struct hid_device *, int type, u8 *, int, int); +int hid_input_report(struct hid_device *, int type, u8 *, u32, int); int hidinput_find_field(struct hid_device *hid, unsigned int type, unsigned int code, struct hid_field **field); struct hid_field *hidinput_get_led_field(struct hid_device *hid); unsigned int hidinput_count_leds(struct hid_device *hid); @@ -1055,7 +1055,7 @@ static inline void hid_hw_wait(struct hi hdev->ll_driver->wait(hdev); }
-int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, +int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, int interrupt);
/* HID quirks API */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michal Srb msrb@suse.com
commit 3aec7f871c65eb5f76b4125fda432593c834a6f2 upstream.
The command MEDIA_VFE_STATE checks bits at offset +2 dwords. However, it is possible to have MEDIA_VFE_STATE command with length = 0 + LENGTH_BIAS = 2. In that case check_cmd will read bits from the following command, or even past the end of the buffer.
If the offset ends up outside of the command length, reject the command.
Fixes: 351e3db2b363 ("drm/i915: Implement command buffer parsing logic") Signed-off-by: Michal Srb msrb@suse.com Link: https://patchwork.freedesktop.org/patch/msgid/20180205151745.29292-1-msrb@su... Reviewed-by: Chris Wilson chris@chris-wilson.co.uk Signed-off-by: Chris Wilson chris@chris-wilson.co.uk Link: https://patchwork.freedesktop.org/patch/msgid/20180205160438.3267-2-chris@ch... [bwh: Backported to 3.16: Log ring->id rather than engine->name] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/i915/i915_cmd_parser.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -941,6 +941,12 @@ static bool check_cmd(const struct intel continue; }
+ if (desc->bits[i].offset >= length) { + DRM_DEBUG_DRIVER("CMD: Rejected command 0x%08X, too short to check bitmask (ring=%d)\n", + *cmd, ring->id); + return false; + } + dword = cmd[desc->bits[i].offset] & desc->bits[i].mask;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit 5673444821406dda5fc25e4b52aca419f8065a19 upstream.
The imx_ports[] array is indexed using a value derived from the "serialN" alias in DT, or from platform data, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Reviewed-by: Uwe Kleine-König u.kleine-koenig@pengutronix.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/imx.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -1919,6 +1919,12 @@ static int serial_imx_probe(struct platf else if (ret < 0) return ret;
+ if (sport->port.line >= ARRAY_SIZE(imx_ports)) { + dev_err(&pdev->dev, "serial%d out of range\n", + sport->port.line); + return -EINVAL; + } + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); base = devm_ioremap_resource(&pdev->dev, res); if (IS_ERR(base))
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Igor Pylypiv igor.pylypiv@gmail.com
commit 977f6f68331f94bb72ad84ee96b7b87ce737d89d upstream.
F71808FG_FLAG_WD_EN defines bit position, not a bitmask
Signed-off-by: Igor Pylypiv igor.pylypiv@gmail.com Reviewed-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Wim Van Sebroeck wim@iguana.be Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/watchdog/f71808e_wdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/watchdog/f71808e_wdt.c +++ b/drivers/watchdog/f71808e_wdt.c @@ -450,7 +450,7 @@ static bool watchdog_is_running(void)
is_running = (superio_inb(watchdog.sioaddr, SIO_REG_ENABLE) & BIT(0)) && (superio_inb(watchdog.sioaddr, F71808FG_REG_WDT_CONF) - & F71808FG_FLAG_WD_EN); + & BIT(F71808FG_FLAG_WD_EN));
superio_exit(watchdog.sioaddr);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Neuschäfer j.neuschaefer@gmx.net
commit 8eb1a8590f5ca114fabf16ebb26a4bce0255ace9 upstream.
This fixes the following kernel-doc warning:
./include/net/dst.h:366: warning: Function parameter or member 'net' not described in 'skb_tunnel_rx'
Fixes: ea23192e8e57 ("tunnels: harmonize cleanup done on skb on rx path") Signed-off-by: Jonathan Neuschäfer j.neuschaefer@gmx.net Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/net/dst.h | 1 + 1 file changed, 1 insertion(+)
--- a/include/net/dst.h +++ b/include/net/dst.h @@ -350,6 +350,7 @@ static inline void __skb_tunnel_rx(struc * skb_tunnel_rx - prepare skb for rx reinsert * @skb: buffer * @dev: tunnel device + * @net: netns for packet i/o * * After decapsulation, packet is going to re-enter (netif_rx()) our stack, * so make some cleanups, and perform accounting.
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Brüns stefan.bruens@rwth-aachen.de
commit cfb926e148e99acc02351d72e8b85e32b5f786ef upstream.
The ACK/NACK implementation as found in e.g. the G965 has the falling clock edge and the release of the data line after the ACK for the received byte happen at the same time.
This is conformant with the I2C specification, which allows a zero hold time, see footnote [3]: "A device must internally provide a hold time of at least 300 ns for the SDA signal (with respect to the V IH(min) of the SCL signal) to bridge the undefined region of the falling edge of SCL."
Some HDMI-to-VGA converters apparently fail to adhere to this requirement and latch SDA at the falling clock edge, so instead of an ACK sometimes a NACK is read and the slave (i.e. the EDID ROM) ends the transfer.
The bitbanging releases the data line for the ACK only 1/4 bit time after the falling clock edge, so a slave will see the correct value no matter if it samples at the rising or the falling clock edge or in the center.
Fallback to bitbanging is already done for the CRT connector.
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92685 Signed-off-by: Stefan Brüns stefan.bruens@rwth-aachen.de Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Link: https://patchwork.freedesktop.org/patch/msgid/a39f080b-81a5-4c93-b3f7-7cb0a5... [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/i915/intel_hdmi.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/i915/intel_hdmi.c +++ b/drivers/gpu/drm/i915/intel_hdmi.c @@ -971,6 +971,7 @@ intel_hdmi_detect(struct drm_connector * struct edid *edid; enum intel_display_power_domain power_domain; enum drm_connector_status status = connector_status_disconnected; + struct i2c_adapter *i2c;
DRM_DEBUG_KMS("[CONNECTOR:%d:%s]\n", connector->base.id, connector->name); @@ -981,9 +982,16 @@ intel_hdmi_detect(struct drm_connector * intel_hdmi->has_hdmi_sink = false; intel_hdmi->has_audio = false; intel_hdmi->rgb_quant_range_selectable = false; - edid = drm_get_edid(connector, - intel_gmbus_get_adapter(dev_priv, - intel_hdmi->ddc_bus)); + i2c = intel_gmbus_get_adapter(dev_priv, intel_hdmi->ddc_bus); + + edid = drm_get_edid(connector, i2c); + + if (!edid && !intel_gmbus_is_forced_bit(i2c)) { + DRM_DEBUG_KMS("HDMI GMBUS EDID read failed, retry using GPIO bit-banging\n"); + intel_gmbus_force_bit(i2c, true); + edid = drm_get_edid(connector, i2c); + intel_gmbus_force_bit(i2c, false); + }
if (edid) { if (edid->input & DRM_EDID_INPUT_DIGITAL) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann arnd@arndb.de
commit a398e043637a4819a0e96467bfecaabf3224dd62 upstream.
While experimenting with older compiler versions, I ran into a warning that no longer shows up on gcc-4.8 or newer:
drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds
This is an off-by-one bug, leading to an access before the start of the array, while newer compilers silently assume this undefined behavior cannot happen and leave the loop at index 0 if no other entry matches.
As Sylvester explains, we actually need to ensure that the value is within the range, so this reworks the loop to be easier to parse correctly, and an additional check to fall back on the first format value for any unexpected input.
I found an existing gcc bug for it and added a reduced version of the function there.
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
Signed-off-by: Arnd Bergmann arnd@arndb.de Reviewed-by: Laurent Pinchart laurent.pinchart@ideasonboard.com Acked-by: Sakari Ailus sakari.ailus@linux.intel.com Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/s3c-camif/camif-capture.c +++ b/drivers/media/platform/s3c-camif/camif-capture.c @@ -1280,16 +1280,17 @@ static void __camif_subdev_try_format(st { const struct s3c_camif_variant *variant = camif->variant; const struct vp_pix_limits *pix_lim; - int i = ARRAY_SIZE(camif_mbus_formats); + unsigned int i;
/* FIXME: constraints against codec or preview path ? */ pix_lim = &variant->vp_pix_limits[VP_CODEC];
- while (i-- >= 0) + for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) if (camif_mbus_formats[i] == mf->code) break;
- mf->code = camif_mbus_formats[i]; + if (i == ARRAY_SIZE(camif_mbus_formats)) + mf->code = camif_mbus_formats[0];
if (pad == CAMIF_SD_PAD_SINK) { v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 40cab6e88cb0b6c56d3f30b7491a20e803f948f6 upstream.
OSS PCM stream management isn't modal but it allows ioctls issued at any time for changing the parameters. In the previous hardening patch ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write"), we covered these races and prevent the corruption by protecting the concurrent accesses via params_lock mutex. However, this means that some ioctls that try to change the stream parameter (e.g. channels or format) would be blocked until the read/write finishes, and it may take really long.
Basically changing the parameter while reading/writing is an invalid operation, hence it's even more user-friendly from the API POV if it returns -EBUSY in such a situation.
This patch adds such checks in the relevant ioctls with the addition of read/write access refcount.
Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/sound/pcm_oss.h | 1 + sound/core/oss/pcm_oss.c | 36 +++++++++++++++++++++++++++--------- 2 files changed, 28 insertions(+), 9 deletions(-)
--- a/include/sound/pcm_oss.h +++ b/include/sound/pcm_oss.h @@ -57,6 +57,7 @@ struct snd_pcm_oss_runtime { char *buffer; /* vmallocated period */ size_t buffer_used; /* used length from period buffer */ struct mutex params_lock; + atomic_t rw_ref; /* concurrent read/write accesses */ #ifdef CONFIG_SND_PCM_OSS_PLUGINS struct snd_pcm_plugin *plugin_first; struct snd_pcm_plugin *plugin_last; --- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -1406,6 +1406,7 @@ static ssize_t snd_pcm_oss_write1(struct if (atomic_read(&substream->mmap_count)) return -ENXIO;
+ atomic_inc(&runtime->oss.rw_ref); while (bytes > 0) { if (mutex_lock_interruptible(&runtime->oss.params_lock)) { tmp = -ERESTARTSYS; @@ -1469,6 +1470,7 @@ static ssize_t snd_pcm_oss_write1(struct } tmp = 0; } + atomic_dec(&runtime->oss.rw_ref); return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; }
@@ -1514,6 +1516,7 @@ static ssize_t snd_pcm_oss_read1(struct if (atomic_read(&substream->mmap_count)) return -ENXIO;
+ atomic_inc(&runtime->oss.rw_ref); while (bytes > 0) { if (mutex_lock_interruptible(&runtime->oss.params_lock)) { tmp = -ERESTARTSYS; @@ -1562,6 +1565,7 @@ static ssize_t snd_pcm_oss_read1(struct } tmp = 0; } + atomic_dec(&runtime->oss.rw_ref); return xfer > 0 ? (snd_pcm_sframes_t)xfer : tmp; }
@@ -1668,8 +1672,11 @@ static int snd_pcm_oss_sync(struct snd_p goto __direct; if ((err = snd_pcm_oss_make_ready(substream)) < 0) return err; - if (mutex_lock_interruptible(&runtime->oss.params_lock)) + atomic_inc(&runtime->oss.rw_ref); + if (mutex_lock_interruptible(&runtime->oss.params_lock)) { + atomic_dec(&runtime->oss.rw_ref); return -ERESTARTSYS; + } format = snd_pcm_oss_format_from(runtime->oss.format); width = snd_pcm_format_physical_width(format); if (runtime->oss.buffer_used > 0) { @@ -1681,10 +1688,8 @@ static int snd_pcm_oss_sync(struct snd_p runtime->oss.buffer + runtime->oss.buffer_used, size); err = snd_pcm_oss_sync1(substream, runtime->oss.period_bytes); - if (err < 0) { - mutex_unlock(&runtime->oss.params_lock); - return err; - } + if (err < 0) + goto unlock; } else if (runtime->oss.period_ptr > 0) { #ifdef OSS_DEBUG pcm_dbg(substream->pcm, "sync: period_ptr\n"); @@ -1694,10 +1699,8 @@ static int snd_pcm_oss_sync(struct snd_p runtime->oss.buffer, size * 8 / width); err = snd_pcm_oss_sync1(substream, size); - if (err < 0) { - mutex_unlock(&runtime->oss.params_lock); - return err; - } + if (err < 0) + goto unlock; } /* * The ALSA's period might be a bit large than OSS one. @@ -1728,7 +1731,11 @@ static int snd_pcm_oss_sync(struct snd_p snd_pcm_lib_writev(substream, buffers, size); } } +unlock: mutex_unlock(&runtime->oss.params_lock); + atomic_dec(&runtime->oss.rw_ref); + if (err < 0) + return err; /* * finish sync: drain the buffer */ @@ -1776,6 +1783,8 @@ static int snd_pcm_oss_set_rate(struct s rate = 192000; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (runtime->oss.rate != rate) { runtime->oss.params = 1; runtime->oss.rate = rate; @@ -1810,6 +1819,8 @@ static int snd_pcm_oss_set_channels(stru runtime = substream->runtime; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (runtime->oss.channels != channels) { runtime->oss.params = 1; runtime->oss.channels = channels; @@ -1898,6 +1909,8 @@ static int snd_pcm_oss_set_format(struct if (substream == NULL) continue; runtime = substream->runtime; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; if (runtime->oss.format != format) { @@ -1952,6 +1965,8 @@ static int snd_pcm_oss_set_subdivide(str if (substream == NULL) continue; runtime = substream->runtime; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; err = snd_pcm_oss_set_subdivide1(substream, subdivide); @@ -1990,6 +2005,8 @@ static int snd_pcm_oss_set_fragment(stru if (substream == NULL) continue; runtime = substream->runtime; + if (atomic_read(&runtime->oss.rw_ref)) + return -EBUSY; if (mutex_lock_interruptible(&runtime->oss.params_lock)) return -ERESTARTSYS; err = snd_pcm_oss_set_fragment1(substream, val); @@ -2384,6 +2401,7 @@ static void snd_pcm_oss_init_substream(s runtime->oss.maxfrags = 0; runtime->oss.subdivision = 0; substream->pcm_release = snd_pcm_oss_release_substream; + atomic_set(&runtime->oss.rw_ref, 0); }
static int snd_pcm_oss_release_file(struct snd_pcm_oss_file *pcm_oss_file)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Francisco Jerez currojerez@riseup.net
commit 6a65c5b9326c9dd391afb1b3df75cbedffbaccdb upstream.
Until now the software command checker assumed that commands could read or write at most a single register per packet. This is not necessarily the case, MI_LOAD_REGISTER_IMM expects a variable-length list of offset/value pairs and writes them in sequence. The previous code would only check whether the first entry was valid, effectively allowing userspace to write unrestricted registers of the MMIO space by sending a multi-register write with a legal first register, with potential security implications on Gen6 and 7 hardware.
Fix it by extending the drm_i915_cmd_descriptor table to represent multi-register access and making validate_cmd() iterate for all register offsets present in the command packet.
Signed-off-by: Francisco Jerez currojerez@riseup.net Reviewed-by: Zhigang Gong zhigang.gong@linux.intel.com Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/i915/i915_cmd_parser.c | 74 +++++++++++++++----------- drivers/gpu/drm/i915/i915_drv.h | 5 ++ 2 files changed, 48 insertions(+), 31 deletions(-)
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -123,7 +123,7 @@ static const struct drm_i915_cmd_descrip CMD( MI_SEMAPHORE_MBOX, SMI, !F, 0xFF, R ), CMD( MI_STORE_DWORD_INDEX, SMI, !F, 0xFF, R ), CMD( MI_LOAD_REGISTER_IMM(1), SMI, !F, 0xFF, W, - .reg = { .offset = 1, .mask = 0x007FFFFC } ), + .reg = { .offset = 1, .mask = 0x007FFFFC, .step = 2 } ), CMD( MI_STORE_REGISTER_MEM(1), SMI, !F, 0xFF, W | B, .reg = { .offset = 1, .mask = 0x007FFFFC }, .bits = {{ @@ -859,7 +859,7 @@ bool i915_needs_cmd_parser(struct intel_
static bool check_cmd(const struct intel_engine_cs *ring, const struct drm_i915_cmd_descriptor *desc, - const u32 *cmd, + const u32 *cmd, u32 length, const bool is_master, bool *oacontrol_set) { @@ -875,38 +875,49 @@ static bool check_cmd(const struct intel }
if (desc->flags & CMD_DESC_REGISTER) { - u32 reg_addr = cmd[desc->reg.offset] & desc->reg.mask; - /* - * OACONTROL requires some special handling for writes. We - * want to make sure that any batch which enables OA also - * disables it before the end of the batch. The goal is to - * prevent one process from snooping on the perf data from - * another process. To do that, we need to check the value - * that will be written to the register. Hence, limit - * OACONTROL writes to only MI_LOAD_REGISTER_IMM commands. + * Get the distance between individual register offset + * fields if the command can perform more than one + * access at a time. */ - if (reg_addr == OACONTROL) { - if (desc->cmd.value == MI_LOAD_REGISTER_MEM) { - DRM_DEBUG_DRIVER("CMD: Rejected LRM to OACONTROL\n"); - return false; - } + const u32 step = desc->reg.step ? desc->reg.step : length; + u32 offset;
- if (desc->cmd.value == MI_LOAD_REGISTER_IMM(1)) - *oacontrol_set = (cmd[2] != 0); - } + for (offset = desc->reg.offset; offset < length; + offset += step) { + const u32 reg_addr = cmd[offset] & desc->reg.mask; + + /* + * OACONTROL requires some special handling for + * writes. We want to make sure that any batch which + * enables OA also disables it before the end of the + * batch. The goal is to prevent one process from + * snooping on the perf data from another process. To do + * that, we need to check the value that will be written + * to the register. Hence, limit OACONTROL writes to + * only MI_LOAD_REGISTER_IMM commands. + */ + if (reg_addr == OACONTROL) { + if (desc->cmd.value == MI_LOAD_REGISTER_MEM) { + DRM_DEBUG_DRIVER("CMD: Rejected LRM to OACONTROL\n"); + return false; + }
- if (!valid_reg(ring->reg_table, - ring->reg_count, reg_addr)) { - if (!is_master || - !valid_reg(ring->master_reg_table, - ring->master_reg_count, - reg_addr)) { - DRM_DEBUG_DRIVER("CMD: Rejected register 0x%08X in command: 0x%08X (ring=%d)\n", - reg_addr, - *cmd, - ring->id); - return false; + if (desc->cmd.value == MI_LOAD_REGISTER_IMM(1)) + *oacontrol_set = (cmd[offset + 1] != 0); + } + + if (!valid_reg(ring->reg_table, + ring->reg_count, reg_addr)) { + if (!is_master || + !valid_reg(ring->master_reg_table, + ring->master_reg_count, + reg_addr)) { + DRM_DEBUG_DRIVER("CMD: Rejected register 0x%08X in command: 0x%08X (ring=%d)\n", + reg_addr, *cmd, + ring->id); + return false; + } } } } @@ -1020,7 +1031,8 @@ int i915_parse_cmds(struct intel_engine_ break; }
- if (!check_cmd(ring, desc, cmd, is_master, &oacontrol_set)) { + if (!check_cmd(ring, desc, cmd, length, is_master, + &oacontrol_set)) { ret = -EINVAL; break; } --- a/drivers/gpu/drm/i915/i915_drv.h +++ b/drivers/gpu/drm/i915/i915_drv.h @@ -1828,10 +1828,15 @@ struct drm_i915_cmd_descriptor { * Describes where to find a register address in the command to check * against the ring's register whitelist. Only valid if flags has the * CMD_DESC_REGISTER bit set. + * + * A non-zero step value implies that the command may access multiple + * registers in sequence (e.g. LRI), in that case step gives the + * distance in dwords between individual offset fields. */ struct { u32 offset; u32 mask; + u32 step; } reg;
#define MAX_CMD_DESC_BITMASKS 3
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit 67300abdbe9f1717532aaf4e037222762716d0f6 upstream.
Currently an out of range dev->nr is detected by just reporting the issue and later on an out-of-bounds read on array card occurs because of this. Fix this by checking the upper range of dev->nr with the size of array card (removes the hard coded size), move this check earlier and also exit with the error -ENOSYS to avoid the later out-of-bounds array read.
Detected by CoverityScan, CID#711191 ("Out-of-bounds-read")
Fixes: commit 02b20b0b4cde ("V4L/DVB (12730): Add conexant cx25821 driver")
Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: Hans Verkuil hans.verkuil@cisco.com [hans.verkuil@cisco.com: %ld -> %zd] Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/media/pci/cx25821/cx25821-core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/pci/cx25821/cx25821-core.c +++ b/drivers/media/pci/cx25821/cx25821-core.c @@ -871,6 +871,10 @@ static int cx25821_dev_setup(struct cx25 dev->nr = ++cx25821_devcount; sprintf(dev->name, "cx25821[%d]", dev->nr);
+ if (dev->nr >= ARRAY_SIZE(card)) { + CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card)); + return -ENODEV; + } if (dev->pci->device != 0x8210) { pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n", __func__, dev->pci->device); @@ -887,9 +891,6 @@ static int cx25821_dev_setup(struct cx25 dev->channels[i].sram_channels = &cx25821_sram_channels[i]; }
- if (dev->nr > 1) - CX25821_INFO("dev->nr > 1!"); - /* board config */ dev->board = 1; /* card[dev->nr]; */ dev->_max_num_decoders = MAX_DECODERS;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.vnet.ibm.com
commit dae55b6fef58530c13df074bcc182c096609339e upstream.
Immediate retry of EQBS after CCQ 96 means that we potentially misreport the state of buffers inspected during the first EQBS call.
This occurs when 1. the first EQBS finds all inspected buffers still in the initial state set by the driver (ie INPUT EMPTY or OUTPUT PRIMED), 2. the EQBS terminates early with CCQ 96, and 3. by the time that the second EQBS comes around, the state of those previously inspected buffers has changed.
If the state reported by the second EQBS is 'driver-owned', all we know is that the previous buffers are driver-owned now as well. But we can't tell if they all have the same state. So for instance - the second EQBS reports OUTPUT EMPTY, but any number of the previous buffers could be OUTPUT ERROR by now, - the second EQBS reports OUTPUT ERROR, but any number of the previous buffers could be OUTPUT EMPTY by now.
Effectively, this can result in both over- and underreporting of errors.
If the state reported by the second EQBS is 'HW-owned', that doesn't guarantee that the previous buffers have not been switched to driver-owned in the mean time. So for instance - the second EQBS reports INPUT EMPTY, but any number of the previous buffers could be INPUT PRIMED (or INPUT ERROR) by now.
This would result in failure to process pending work on the queue. If it's the final check before yielding initiative, this can cause a (temporary) queue stall due to IRQ avoidance.
Fixes: 25f269f17316 ("[S390] qdio: EQBS retry after CCQ 96") Signed-off-by: Julian Wiedmann jwi@linux.vnet.ibm.com Reviewed-by: Benjamin Block bblock@linux.vnet.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/cio/qdio_main.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-)
--- a/drivers/s390/cio/qdio_main.c +++ b/drivers/s390/cio/qdio_main.c @@ -126,7 +126,7 @@ static inline int qdio_check_ccq(struct static int qdio_do_eqbs(struct qdio_q *q, unsigned char *state, int start, int count, int auto_ack) { - int rc, tmp_count = count, tmp_start = start, nr = q->nr, retried = 0; + int rc, tmp_count = count, tmp_start = start, nr = q->nr; unsigned int ccq = 0;
qperf_inc(q, eqbs); @@ -149,14 +149,7 @@ again: qperf_inc(q, eqbs_partial); DBF_DEV_EVENT(DBF_WARN, q->irq_ptr, "EQBS part:%02x", tmp_count); - /* - * Retry once, if that fails bail out and process the - * extracted buffers before trying again. - */ - if (!retried++) - goto again; - else - return count - tmp_count; + return count - tmp_count; }
DBF_ERROR("%4x EQBS ERROR", SCH_NO(q));
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König u.kleine-koenig@pengutronix.de
commit 0e254963b6ba4d63ac911e79537fea38dd03dc50 upstream.
Most register accesses in the altera driver honor port->regshift by using altera_uart_writel(). There are a few accesses however that were missed when the driver was converted to use port->regshift and some others were added later in commit 4d9d7d896d77 ("serial: altera_uart: add earlycon support").
Fixes: 2780ad42f5fe ("tty: serial: altera_uart: Use port->regshift to store bus shift") Signed-off-by: Uwe Kleine-König u.kleine-koenig@pengutronix.de Acked-by: Tobias Klauser tklauser@distanz.ch Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: Drop changes in altera_uart_earlycon_setup()] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/altera_uart.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/tty/serial/altera_uart.c +++ b/drivers/tty/serial/altera_uart.c @@ -335,7 +335,7 @@ static int altera_uart_startup(struct ua
/* Enable RX interrupts now */ pp->imr = ALTERA_UART_CONTROL_RRDY_MSK; - writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); + altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
spin_unlock_irqrestore(&port->lock, flags);
@@ -351,7 +351,7 @@ static void altera_uart_shutdown(struct
/* Disable all interrupts now */ pp->imr = 0; - writel(pp->imr, port->membase + ALTERA_UART_CONTROL_REG); + altera_uart_writel(port, pp->imr, ALTERA_UART_CONTROL_REG);
spin_unlock_irqrestore(&port->lock, flags);
@@ -441,7 +441,7 @@ static void altera_uart_console_putc(str ALTERA_UART_STATUS_TRDY_MSK)) cpu_relax();
- writel(c, port->membase + ALTERA_UART_TXDATA_REG); + altera_uart_writel(port, c, ALTERA_UART_TXDATA_REG); }
static void altera_uart_console_write(struct console *co, const char *s,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o tytso@mit.edu
commit 85e0c4e89c1b864e763c4e3bb15d0b6d501ad5d9 upstream.
This updates the jbd2 superblock unnecessarily, and on an abort we shouldn't truncate the log.
Signed-off-by: Theodore Ts'o tytso@mit.edu Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/jbd2/journal.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c @@ -923,7 +923,7 @@ out: }
/* - * This is a variaon of __jbd2_update_log_tail which checks for validity of + * This is a variation of __jbd2_update_log_tail which checks for validity of * provided log tail and locks j_checkpoint_mutex. So it is safe against races * with other threads updating log tail. */ @@ -1399,6 +1399,9 @@ int jbd2_journal_update_sb_log_tail(jour journal_superblock_t *sb = journal->j_superblock; int ret;
+ if (is_journal_aborted(journal)) + return -EIO; + BUG_ON(!mutex_is_locked(&journal->j_checkpoint_mutex)); jbd_debug(1, "JBD2: updating superblock (start %lu, seq %u)\n", tail_block, tail_tid);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo acme@redhat.com
commit a8403912d04e2c8271653bb5b7f6294dc6d322ac upstream.
We've had this since 2013, document it.
Cc: Adrian Hunter adrian.hunter@intel.com Cc: Andi Kleen ak@linux.intel.com Cc: David Ahern dsahern@gmail.com Cc: Jin Yao yao.jin@linux.intel.com Cc: Jiri Olsa jolsa@kernel.org Cc: Namhyung Kim namhyung@kernel.org Cc: Wang Nan wangnan0@huawei.com Cc: Willy Tarreau w@1wt.eu Fixes: fc2be6968e99 ("perf symbols: Add new option --ignore-vmlinux for perf top") Link: https://lkml.kernel.org/n/tip-0jwfueooddwfsw9r603belxi@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- tools/perf/Documentation/perf-top.txt | 3 +++ 1 file changed, 3 insertions(+)
--- a/tools/perf/Documentation/perf-top.txt +++ b/tools/perf/Documentation/perf-top.txt @@ -65,6 +65,9 @@ Default is to monitor all CPUS. --vmlinux=<path>:: Path to vmlinux. Required for annotation functionality.
+--ignore-vmlinux:: + Ignore vmlinux files. + -m <pages>:: --mmap-pages=<pages>:: Number of mmap data pages (must be a power of two) or size
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit c64ed5dd9feba193c76eb460b451225ac2a0d87b upstream.
Fix the last standing EINTR in the whole subsystem. Use more correct ERESTARTSYS for pending signals.
Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/oss/pcm_oss.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -852,7 +852,7 @@ static int snd_pcm_oss_change_params(str if (!(mutex_trylock(&runtime->oss.params_lock))) return -EAGAIN; } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -EINTR; + return -ERESTARTSYS; sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL); params = kmalloc(sizeof(*params), GFP_KERNEL); sparams = kmalloc(sizeof(*sparams), GFP_KERNEL);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 upstream.
The lpuart_ports[] array is indexed using a value derived from the "serialN" alias in DT, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/fsl_lpuart.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/tty/serial/fsl_lpuart.c +++ b/drivers/tty/serial/fsl_lpuart.c @@ -1170,6 +1170,10 @@ static int lpuart_probe(struct platform_ dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); return ret; } + if (ret >= ARRAY_SIZE(lpuart_ports)) { + dev_err(&pdev->dev, "serial%d out of range\n", ret); + return -EINVAL; + } sport->port.line = ret;
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eryu Guan guaneryu@gmail.com
commit 73fdad00b208b139cf43f3163fbc0f67e4c6047c upstream.
i_disksize update should be protected by i_data_sem, by either taking the lock explicitly or by using ext4_update_i_disksize() helper. But the i_disksize updates in ext4_direct_IO_write() are not protected at all, which may be racing with i_disksize updates in writeback path in delalloc buffer write path.
This is found by code inspection, and I didn't hit any i_disksize corruption due to this bug. Thanks to Jan Kara for catching this bug and suggesting the fix!
Reported-by: Jan Kara jack@suse.cz Suggested-by: Jan Kara jack@suse.cz Signed-off-by: Eryu Guan guaneryu@gmail.com Signed-off-by: Theodore Ts'o tytso@mit.edu [bwh: Backported to 3.16: The relevant code is in ext4_ind_direct_IO()] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/ext4/indirect.c +++ b/fs/ext4/indirect.c @@ -649,7 +649,6 @@ ssize_t ext4_ind_direct_IO(int rw, struc { struct file *file = iocb->ki_filp; struct inode *inode = file->f_mapping->host; - struct ext4_inode_info *ei = EXT4_I(inode); handle_t *handle; ssize_t ret; int orphan = 0; @@ -672,7 +671,7 @@ ssize_t ext4_ind_direct_IO(int rw, struc goto out; } orphan = 1; - ei->i_disksize = inode->i_size; + ext4_update_i_disksize(inode, inode->i_size); ext4_journal_stop(handle); } } @@ -731,7 +730,7 @@ locked: if (ret > 0) { loff_t end = offset + ret; if (end > inode->i_size) { - ei->i_disksize = end; + ext4_update_i_disksize(inode, end); i_size_write(inode, end); /* * We're going to return a positive `ret'
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit f9f5786987e81d166c60833edcb7d1836aa16944 upstream.
The arc_uart_ports[] array is indexed using a value derived from the "serialN" alias in DT, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Note that the array size is defined by a Kconfig symbol (CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a legitimate DTB.
Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: Put the check in arc_uart_init_one() and move initialisation of the uart variable below it] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/tty/serial/arc_uart.c +++ b/drivers/tty/serial/arc_uart.c @@ -531,8 +531,14 @@ arc_uart_init_one(struct platform_device { struct resource *res, *res2; unsigned long *plat_data; - struct arc_uart_port *uart = &arc_uart_ports[dev_id]; + struct arc_uart_port *uart;
+ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) { + dev_err(&pdev->dev, "serial%d out of range\n", dev_id); + return -EINVAL; + } + + uart = &arc_uart_ports[dev_id]; plat_data = dev_get_platdata(&pdev->dev); if (!plat_data) return -ENODEV;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sudhir Sreedharan ssreedharan@mvista.com
commit 7972326a26b5bf8dc2adac575c4e03ee7e9d193a upstream.
This can be reproduced by bind/unbind the driver multiple times in AM3517 board.
Analysis revealed that rtl8187_start() was invoked before probe finishes(ie. before the mutex is initialized).
INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250 Hardware name: Generic AM3517 (Flattened Device Tree) [<c010e0d8>] (unwind_backtrace) from [<c010beac>] (show_stack+0x10/0x14) [<c010beac>] (show_stack) from [<c017401c>] (register_lock_class+0x4f4/0x55c) [<c017401c>] (register_lock_class) from [<c0176fe0>] (__lock_acquire+0x74/0x1938) [<c0176fe0>] (__lock_acquire) from [<c0178cfc>] (lock_acquire+0xfc/0x23c) [<c0178cfc>] (lock_acquire) from [<c08aa2f8>] (mutex_lock_nested+0x50/0x3b0) [<c08aa2f8>] (mutex_lock_nested) from [<c05f5bf8>] (rtl8187_start+0x2c/0xd54) [<c05f5bf8>] (rtl8187_start) from [<c082dea0>] (drv_start+0xa8/0x320) [<c082dea0>] (drv_start) from [<c084d1d4>] (ieee80211_do_open+0x2bc/0x8e4) [<c084d1d4>] (ieee80211_do_open) from [<c069be94>] (__dev_open+0xb8/0x120) [<c069be94>] (__dev_open) from [<c069c11c>] (__dev_change_flags+0x88/0x14c) [<c069c11c>] (__dev_change_flags) from [<c069c1f8>] (dev_change_flags+0x18/0x48) [<c069c1f8>] (dev_change_flags) from [<c0710b08>] (devinet_ioctl+0x738/0x840) [<c0710b08>] (devinet_ioctl) from [<c067925c>] (sock_ioctl+0x164/0x2f4) [<c067925c>] (sock_ioctl) from [<c02883f8>] (do_vfs_ioctl+0x8c/0x9d0) [<c02883f8>] (do_vfs_ioctl) from [<c0288da8>] (SyS_ioctl+0x6c/0x7c) [<c0288da8>] (SyS_ioctl) from [<c0107760>] (ret_fast_syscall+0x0/0x1c) Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = cd1ec000 [00000000] *pgd=8d1de831, *pte=00000000, *ppte=00000000 Internal error: Oops: 817 [#1] PREEMPT ARM Modules linked in: CPU: 0 PID: 821 Comm: wpa_supplicant Not tainted 4.9.80-dirty #250 Hardware name: Generic AM3517 (Flattened Device Tree) task: ce73eec0 task.stack: cd1ea000 PC is at mutex_lock_nested+0xe8/0x3b0 LR is at mutex_lock_nested+0xd0/0x3b0
Signed-off-by: Sudhir Sreedharan ssreedharan@mvista.com Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/wireless/rtl818x/rtl8187/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c @@ -1454,6 +1454,7 @@ static int rtl8187_probe(struct usb_inte goto err_free_dev; } mutex_init(&priv->io_mutex); + mutex_init(&priv->conf_mutex);
SET_IEEE80211_DEV(dev, &intf->dev); usb_set_intfdata(intf, dev); @@ -1627,7 +1628,6 @@ static int rtl8187_probe(struct usb_inte printk(KERN_ERR "rtl8187: Cannot register device\n"); goto err_free_dmabuf; } - mutex_init(&priv->conf_mutex); skb_queue_head_init(&priv->b_tx_status.queue);
wiphy_info(dev->wiphy, "hwaddr %pM, %s V%d + %s, rfkill mask %d\n",
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen Thinh.Nguyen@synopsys.com
commit cabdf83dadfb3d83eec31e0f0638a92dbd716435 upstream.
Platform device is allocated before adding resources. Make sure to properly cleanup on error case.
Fixes: f1c7e7108109 ("usb: dwc3: convert to pcim_enable_device()") Signed-off-by: Thinh Nguyen thinhn@synopsys.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com [bwh: Backported to 3.16: Cleanup label is called "err3"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/dwc3/dwc3-pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/dwc3/dwc3-pci.c +++ b/drivers/usb/dwc3/dwc3-pci.c @@ -144,7 +144,7 @@ static int dwc3_pci_probe(struct pci_dev ret = platform_device_add_resources(dwc3, res, ARRAY_SIZE(res)); if (ret) { dev_err(dev, "couldn't add resources to dwc3 device\n"); - return ret; + goto err3; }
pci_set_drvdata(pci, glue);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bai Ping b51503@freescale.com
commit 84866ee5818e95f6e97194656777c10ac24cb9d3 upstream.
The irq handler should be registered after the tempmon module has been initialized in a known state and the thermal_zone and cpu_cooling device have been registered successfully. Otherwise, if the irq is triggled earlier before thermal probe has been finished, it may lead to 'NULL' pointer kernel panic.
Signed-off-by: Bai Ping b51503@freescale.com Signed-off-by: Eduardo Valentin edubezval@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/thermal/imx_thermal.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/thermal/imx_thermal.c +++ b/drivers/thermal/imx_thermal.c @@ -422,14 +422,6 @@ static int imx_thermal_probe(struct plat if (data->irq < 0) return data->irq;
- ret = devm_request_threaded_irq(&pdev->dev, data->irq, - imx_thermal_alarm_irq, imx_thermal_alarm_irq_thread, - 0, "imx_thermal", data); - if (ret < 0) { - dev_err(&pdev->dev, "failed to request alarm irq: %d\n", ret); - return ret; - } - platform_set_drvdata(pdev, data);
ret = imx_get_sensor_data(pdev); @@ -492,6 +484,17 @@ static int imx_thermal_probe(struct plat regmap_write(map, TEMPSENSE0 + REG_CLR, TEMPSENSE0_POWER_DOWN); regmap_write(map, TEMPSENSE0 + REG_SET, TEMPSENSE0_MEASURE_TEMP);
+ ret = devm_request_threaded_irq(&pdev->dev, data->irq, + imx_thermal_alarm_irq, imx_thermal_alarm_irq_thread, + 0, "imx_thermal", data); + if (ret < 0) { + dev_err(&pdev->dev, "failed to request alarm irq: %d\n", ret); + clk_disable_unprepare(data->thermal_clk); + thermal_zone_device_unregister(data->tz); + cpufreq_cooling_unregister(data->cdev); + return ret; + } + data->irq_enabled = true; data->mode = THERMAL_DEVICE_ENABLED;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit dd345a31bfdec350d2593e6de5964e55c7f19c76 upstream.
The auart_port[] array is indexed using a value derived from the "serialN" alias in DT, or from platform data, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: - Explicitly clean up port on error - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/mxs-auart.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/tty/serial/mxs-auart.c +++ b/drivers/tty/serial/mxs-auart.c @@ -1050,6 +1050,11 @@ static int mxs_auart_probe(struct platfo s->port.line = pdev->id < 0 ? 0 : pdev->id; else if (ret < 0) goto out_free; + if (s->port.line >= ARRAY_SIZE(auart_port)) { + dev_err(&pdev->dev, "serial%d out of range\n", s->port.line); + ret = -EINVAL; + goto out_free; + }
if (of_id) { pdev->id_entry = of_id->data;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche bart.vanassche@wdc.com
commit e68088e78d82920632eba112b968e49d588d02a2 upstream.
Before commit e494f6a72839 ("[SCSI] improved eh timeout handler") it did not really matter whether or not abort handlers like srp_abort() called .scsi_done() when returning another value than SUCCESS. Since that commit however this matters. Hence only call .scsi_done() when returning SUCCESS.
Signed-off-by: Bart Van Assche bart.vanassche@wdc.com Signed-off-by: Jason Gunthorpe jgg@mellanox.com [bwh: Backported to 3.16: s/ch/target/] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/ulp/srp/ib_srp.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -2393,9 +2393,11 @@ static int srp_abort(struct scsi_cmnd *s ret = FAST_IO_FAIL; else ret = FAILED; - srp_free_req(target, req, scmnd, 0); - scmnd->result = DID_ABORT << 16; - scmnd->scsi_done(scmnd); + if (ret == SUCCESS) { + srp_free_req(target, req, scmnd, 0); + scmnd->result = DID_ABORT << 16; + scmnd->scsi_done(scmnd); + }
return ret; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mika Westerberg mika.westerberg@linux.intel.com
commit 13d3047c81505cc0fb9bdae7810676e70523c8bf upstream.
Mike Lothian reported that plugging in a USB-C device does not work properly in his Dell Alienware system. This system has an Intel Alpine Ridge Thunderbolt controller providing USB-C functionality. In these systems the USB controller (xHCI) is hotplugged whenever a device is connected to the port using ACPI-based hotplug.
The ACPI description of the root port in question is as follows:
Device (RP01) { Name (_ADR, 0x001C0000)
Device (PXSX) { Name (_ADR, 0x02)
Method (_RMV, 0, NotSerialized) { // ... } }
Here _ADR 0x02 means device 0, function 2 on the bus under root port (RP01) but that seems to be incorrect because device 0 is the upstream port of the Alpine Ridge PCIe switch and it has no functions other than 0 (the bridge itself). When we get ACPI Notify() to the root port resulting from connecting a USB-C device, Linux tries to read PCI_VENDOR_ID from device 0, function 2 which of course always returns 0xffffffff because there is no such function and we never find the device.
In Windows this works fine.
Now, since we get ACPI Notify() to the root port and not to the PXSX device we should actually start our scan from there as well and not from the non-existent PXSX device. Fix this by checking presence of the slot itself (function 0) if we fail to do that otherwise.
While there use pci_bus_read_dev_vendor_id() in get_slot_status(), which is the recommended way to read Device and Vendor IDs of devices on PCI buses.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=198557 Reported-by: Mike Lothian mike@fireburn.co.uk Signed-off-by: Mika Westerberg mika.westerberg@linux.intel.com Signed-off-by: Bjorn Helgaas bhelgaas@google.com Reviewed-by: Rafael J. Wysocki rafael.j.wysocki@intel.com Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/pci/hotplug/acpiphp_glue.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-)
--- a/drivers/pci/hotplug/acpiphp_glue.c +++ b/drivers/pci/hotplug/acpiphp_glue.c @@ -601,6 +601,7 @@ static unsigned int get_slot_status(stru { unsigned long long sta = 0; struct acpiphp_func *func; + u32 dvid;
list_for_each_entry(func, &slot->funcs, sibling) { if (func->flags & FUNC_HAS_STA) { @@ -611,19 +612,27 @@ static unsigned int get_slot_status(stru if (ACPI_SUCCESS(status) && sta) break; } else { - u32 dvid; - - pci_bus_read_config_dword(slot->bus, - PCI_DEVFN(slot->device, - func->function), - PCI_VENDOR_ID, &dvid); - if (dvid != 0xffffffff) { + if (pci_bus_read_dev_vendor_id(slot->bus, + PCI_DEVFN(slot->device, func->function), + &dvid, 0)) { sta = ACPI_STA_ALL; break; } } }
+ if (!sta) { + /* + * Check for the slot itself since it may be that the + * ACPI slot is a device below PCIe upstream port so in + * that case it may not even be reachable yet. + */ + if (pci_bus_read_dev_vendor_id(slot->bus, + PCI_DEVFN(slot->device, 0), &dvid, 0)) { + sta = ACPI_STA_ALL; + } + } + return (unsigned int)sta; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 8f461b1e02ed546fbd0f11611138da67fd85a30f upstream.
With ecb-cast5-avx, if a 128+ byte scatterlist element followed a shorter one, then the algorithm accidentally encrypted/decrypted only 8 bytes instead of the expected 128 bytes. Fix it by setting the encryption/decryption 'fn' correctly.
Fixes: c12ab20b162c ("crypto: cast5/avx - avoid using temporary stack buffers") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/crypto/cast5_avx_glue.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/x86/crypto/cast5_avx_glue.c +++ b/arch/x86/crypto/cast5_avx_glue.c @@ -67,8 +67,6 @@ static int ecb_crypt(struct blkcipher_de void (*fn)(struct cast5_ctx *ctx, u8 *dst, const u8 *src); int err;
- fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; - err = blkcipher_walk_virt(desc, walk); desc->flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
@@ -80,6 +78,7 @@ static int ecb_crypt(struct blkcipher_de
/* Process multi-block batch */ if (nbytes >= bsize * CAST5_PARALLEL_BLOCKS) { + fn = (enc) ? cast5_ecb_enc_16way : cast5_ecb_dec_16way; do { fn(ctx, wdst, wsrc);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sean Young sean@mess.org
commit 8d4068810d9926250dd2435719a080b889eb44c3 upstream.
If there is IR in the raw kfifo when ir_raw_event_unregister() is called, then kthread_stop() causes ir_raw_event_thread to be scheduled, decode some scancodes and re-arm timer_keyup. The timer_keyup then fires when the rc device is long gone.
Signed-off-by: Sean Young sean@mess.org Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com [bwh: Backported to 3.16: - There's no timer_repeat to move - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/media/rc/rc-main.c +++ b/drivers/media/rc/rc-main.c @@ -1427,13 +1427,13 @@ void rc_unregister_device(struct rc_dev if (!dev) return;
- del_timer_sync(&dev->timer_keyup); - clear_bit(dev->devno, ir_core_dev_number);
if (dev->driver_type == RC_DRIVER_IR_RAW) ir_raw_event_unregister(dev);
+ del_timer_sync(&dev->timer_keyup); + /* Freeing the table should also call the stop callback */ ir_free_table(&dev->rc_map); IR_dprintk(1, "Freed keycode table\n");
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold johan@kernel.org
commit 1f1e82f74c0947e40144688c9e36abe4b3999f49 upstream.
Add device id for ELDAT Easywave RX09 tranceiver.
Reported-by: Jan Jansen nattelip@hotmail.com Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/cp210x.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/cp210x.c +++ b/drivers/usb/serial/cp210x.c @@ -151,6 +151,7 @@ static const struct usb_device_id id_tab { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */ { USB_DEVICE(0x13AD, 0x9999) }, /* Baltech card reader */ { USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */ + { USB_DEVICE(0x155A, 0x1006) }, /* ELDAT Easywave RX09 */ { USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal Automation Controller */ { USB_DEVICE(0x166A, 0x0301) }, /* Clipsal 5800PC C-Bus Wireless PC Interface */ { USB_DEVICE(0x166A, 0x0303) }, /* Clipsal 5500PCU C-Bus USB interface */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dennis Wassenberg dennis.wassenberg@secunet.com
commit b56af54ac78c54a519d82813836f305d7f76ef27 upstream.
Reset i8042 before probing because of insufficient BIOS initialisation of the i8042 serial controller. This makes Synaptics touchpad detection possible. Without resetting the Synaptics touchpad is not detected because there are always NACK messages from AUX port.
Signed-off-by: Dennis Wassenberg dennis.wassenberg@secunet.com Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/drivers/input/serio/i8042-x86ia64io.h +++ b/drivers/input/serio/i8042-x86ia64io.h @@ -595,6 +595,13 @@ static const struct dmi_system_id __init }, }, { + /* Lenovo ThinkPad L460 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), + DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L460"), + }, + }, + { /* Clevo P650RS, 650RP6, Sager NP8152-S, and others */ .matches = { DMI_MATCH(DMI_SYS_VENDOR, "Notebook"),
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.vnet.ibm.com
commit 0cf1e05157b9e5530dcc3ca9fec9bf617fc93375 upstream.
On an Output queue, both EMPTY and PENDING buffer states imply that the buffer is ready for completion-processing by the upper-layer drivers.
So for a non-QEBSM Output queue, get_buf_states() merges mixed batches of PENDING and EMPTY buffers into one large batch of EMPTY buffers. The upper-layer driver (ie. qeth) later distuingishes PENDING from EMPTY by inspecting the slsb_state for QDIO_OUTBUF_STATE_FLAG_PENDING.
But the merge logic in get_buf_states() contains a bug that causes us to erronously also merge ERROR buffers into such a batch of EMPTY buffers (ERROR is 0xaf, EMPTY is 0xa1; so ERROR & EMPTY == EMPTY). Effectively, most outbound ERROR buffers are currently discarded silently and processed as if they had succeeded.
Note that this affects _all_ non-QEBSM device types, not just IQD with CQ.
Fix it by explicitly spelling out the exact conditions for merging.
For extracting the "get initial state" part out of the loop, this relies on the fact that get_buf_states() is never called with a count of 0. The QEBSM path already strictly requires this, and the two callers with variable 'count' make sure of it.
Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") Signed-off-by: Julian Wiedmann jwi@linux.vnet.ibm.com Reviewed-by: Ursula Braun ubraun@linux.vnet.ibm.com Reviewed-by: Benjamin Block bblock@linux.vnet.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/cio/qdio_main.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-)
--- a/drivers/s390/cio/qdio_main.c +++ b/drivers/s390/cio/qdio_main.c @@ -212,7 +212,10 @@ again: return 0; }
-/* returns number of examined buffers and their common state in *state */ +/* + * Returns number of examined buffers and their common state in *state. + * Requested number of buffers-to-examine must be > 0. + */ static inline int get_buf_states(struct qdio_q *q, unsigned int bufnr, unsigned char *state, unsigned int count, int auto_ack, int merge_pending) @@ -223,17 +226,23 @@ static inline int get_buf_states(struct if (is_qebsm(q)) return qdio_do_eqbs(q, state, bufnr, count, auto_ack);
- for (i = 0; i < count; i++) { - if (!__state) { - __state = q->slsb.val[bufnr]; - if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) - __state = SLSB_P_OUTPUT_EMPTY; - } else if (merge_pending) { - if ((q->slsb.val[bufnr] & __state) != __state) - break; - } else if (q->slsb.val[bufnr] != __state) - break; + /* get initial state: */ + __state = q->slsb.val[bufnr]; + if (merge_pending && __state == SLSB_P_OUTPUT_PENDING) + __state = SLSB_P_OUTPUT_EMPTY; + + for (i = 1; i < count; i++) { bufnr = next_buf(bufnr); + + /* merge PENDING into EMPTY: */ + if (merge_pending && + q->slsb.val[bufnr] == SLSB_P_OUTPUT_PENDING && + __state == SLSB_P_OUTPUT_EMPTY) + continue; + + /* stop if next state differs from initial state: */ + if (q->slsb.val[bufnr] != __state) + break; } *state = __state; return i;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck linux@roeck-us.net
commit a46f8cd696624ef757be0311eb28f119c36778e8 upstream.
A negative page register value means that no page needs to be selected. This is used by status register evaluations and needs to be accepted.
Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hwmon/pmbus/max8688.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/pmbus/max8688.c +++ b/drivers/hwmon/pmbus/max8688.c @@ -44,7 +44,7 @@ static int max8688_read_word_data(struct { int ret;
- if (page) + if (page > 0) return -ENXIO;
switch (reg) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liu Bo bo.li.liu@oracle.com
commit 5811375325420052fcadd944792a416a43072b7f upstream.
Fstests generic/475 provides a way to fail metadata reads while checking if checksum exists for the inode inside run_delalloc_nocow(), and csum_exist_in_range() interprets error (-EIO) as inode having checksum and makes its caller enter the cow path.
In case of free space inode, this ends up with a warning in cow_file_range().
The same problem applies to btrfs_cross_ref_exist() since it may also read metadata in between.
With this, run_delalloc_nocow() bails out when errors occur at the two places.
Fixes: 17d217fe970d ("Btrfs: fix nodatasum handling in balancing code") Signed-off-by: Liu Bo bo.li.liu@oracle.com Signed-off-by: David Sterba dsterba@suse.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -1145,6 +1145,8 @@ static noinline int csum_exist_in_range( list_del(&sums->list); kfree(sums); } + if (ret < 0) + return ret; return 1; }
@@ -1294,10 +1296,23 @@ next_slot: goto out_check; if (btrfs_extent_readonly(root, disk_bytenr)) goto out_check; - if (btrfs_cross_ref_exist(trans, root, ino, - found_key.offset - - extent_offset, disk_bytenr)) + ret = btrfs_cross_ref_exist(trans, root, ino, + found_key.offset - + extent_offset, disk_bytenr); + if (ret) { + /* + * ret could be -EIO if the above fails to read + * metadata. + */ + if (ret < 0) { + if (cow_start != (u64)-1) + cur_offset = cow_start; + goto error; + } + + WARN_ON_ONCE(nolock); goto out_check; + } disk_bytenr += extent_offset; disk_bytenr += cur_offset - found_key.offset; num_bytes = min(end + 1, extent_end) - cur_offset; @@ -1315,8 +1330,22 @@ next_slot: * this ensure that csum for a given extent are * either valid or do not exist. */ - if (csum_exist_in_range(root, disk_bytenr, num_bytes)) + ret = csum_exist_in_range(root, disk_bytenr, + num_bytes); + if (ret) { + + /* + * ret could be -EIO if the above fails to read + * metadata. + */ + if (ret < 0) { + if (cow_start != (u64)-1) + cur_offset = cow_start; + goto error; + } + WARN_ON_ONCE(nolock); goto out_check; + } nocow = 1; } else if (extent_type == BTRFS_FILE_EXTENT_INLINE) { extent_end = found_key.offset +
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zhengjun Xing zhengjun.xing@linux.intel.com
commit 64627388b50158fd24d6ad88132525b95a5ef573 upstream.
USB3 hubs don't support global suspend.
USB3 specification 10.10, Enhanced SuperSpeed hubs only support selective suspend and resume, they do not support global suspend/resume where the hub downstream facing ports states are not affected.
When system enters hibernation it first enters freeze process where only the root hub enters suspend, usb_port_suspend() is not called for other devices, and suspend status flags are not set for them. Other devices are expected to suspend globally. Some external USB3 hubs will suspend the downstream facing port at global suspend. These devices won't be resumed at thaw as the suspend status flag is not set.
A USB3 removable hard disk connected through a USB3 hub that won't resume at thaw will fail to synchronize SCSI cache, return “cmd cmplt err -71” error, and needs a 60 seconds timeout which causing system hang for 60s before the USB host reset the port for the USB3 removable hard disk to recover.
Fix this by always calling usb_port_suspend() during freeze for USB3 devices.
Signed-off-by: Zhengjun Xing zhengjun.xing@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/core/generic.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/generic.c +++ b/drivers/usb/core/generic.c @@ -208,8 +208,13 @@ static int generic_suspend(struct usb_de if (!udev->parent) rc = hcd_bus_suspend(udev, msg);
- /* Non-root devices don't need to do anything for FREEZE or PRETHAW */ - else if (msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW) + /* + * Non-root USB2 devices don't need to do anything for FREEZE + * or PRETHAW. USB3 devices don't support global suspend and + * needs to be selectively suspended. + */ + else if ((msg.event == PM_EVENT_FREEZE || msg.event == PM_EVENT_PRETHAW) + && (udev->speed < USB_SPEED_SUPER)) rc = 0; else rc = usb_port_suspend(udev, msg);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Lappo mikhail.lappo@esrlabs.com
commit cf1ba1d73a33944d8c1a75370a35434bf146b8a7 upstream.
When device boots with T > T_trip_1 and requests interrupt, the race condition takes place. The interrupt comes before THERMAL_DEVICE_ENABLED is set. This leads to an attempt to reading sensor value from irq and disabling the sensor, based on the data->mode field, which expected to be THERMAL_DEVICE_ENABLED, but still stays as THERMAL_DEVICE_DISABLED. Afher this issue sensor is never re-enabled, as the driver state is wrong.
Fix this problem by setting the 'data' members prior to requesting the interrupts.
Fixes: 37713a1e8e4c ("thermal: imx: implement thermal alarm interrupt handling") Signed-off-by: Mikhail Lappo mikhail.lappo@esrlabs.com Signed-off-by: Fabio Estevam fabio.estevam@nxp.com Reviewed-by: Philipp Zabel p.zabel@pengutronix.de Acked-by: Dong Aisheng aisheng.dong@nxp.com Signed-off-by: Zhang Rui rui.zhang@intel.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/thermal/imx_thermal.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/thermal/imx_thermal.c +++ b/drivers/thermal/imx_thermal.c @@ -484,6 +484,9 @@ static int imx_thermal_probe(struct plat regmap_write(map, TEMPSENSE0 + REG_CLR, TEMPSENSE0_POWER_DOWN); regmap_write(map, TEMPSENSE0 + REG_SET, TEMPSENSE0_MEASURE_TEMP);
+ data->irq_enabled = true; + data->mode = THERMAL_DEVICE_ENABLED; + ret = devm_request_threaded_irq(&pdev->dev, data->irq, imx_thermal_alarm_irq, imx_thermal_alarm_irq_thread, 0, "imx_thermal", data); @@ -495,9 +498,6 @@ static int imx_thermal_probe(struct plat return ret; }
- data->irq_enabled = true; - data->mode = THERMAL_DEVICE_ENABLED; - return 0; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Clemens Werther clemens.werther@gmail.com
commit 6555ad13a01952c16485c82a52ad1f3e07e34b3a upstream.
Add device id for Harman FirmwareHubEmulator to make the device auto-detectable by the driver.
Signed-off-by: Clemens Werther clemens.werther@gmail.com Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/ftdi_sio.c | 1 + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ 2 files changed, 7 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -949,6 +949,7 @@ static const struct usb_device_id id_tab { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_LS_LOGBOOK_PID) }, { USB_DEVICE(FTDI_VID, FTDI_SCIENCESCOPE_HS_LOGBOOK_PID) }, { USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_FHE_PID) }, { USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) }, { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID), .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, --- a/drivers/usb/serial/ftdi_sio_ids.h +++ b/drivers/usb/serial/ftdi_sio_ids.h @@ -1444,6 +1444,12 @@ #define FTDI_CINTERION_MC55I_PID 0xA951
/* + * Product: FirmwareHubEmulator + * Manufacturer: Harman Becker Automotive Systems + */ +#define FTDI_FHE_PID 0xA9A0 + +/* * Product: Comet Caller ID decoder * Manufacturer: Crucible Technologies */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Andryuk jandryuk@gmail.com
commit ef6eaf27274c0351f7059163918f3795da13199c upstream.
Commit ac75a041048b ("HID: i2c-hid: fix size check and type usage") started writing messages when the ret_size is <= 2 from i2c_master_recv. However, my device i2c-DLL07D1 returns 2 for a short period of time (~0.5s) after I stop moving the pointing stick or touchpad. It varies, but you get ~50 messages each time which spams the log hard.
[ 95.925055] i2c_hid i2c-DLL07D1:01: i2c_hid_get_input: incomplete report (83/2)
This has also been observed with a i2c-ALP0017.
[ 1781.266353] i2c_hid i2c-ALP0017:00: i2c_hid_get_input: incomplete report (30/2)
Only print the message when ret_size is totally invalid and less than 2 to cut down on the log spam.
Fixes: ac75a041048b ("HID: i2c-hid: fix size check and type usage") Reported-by: John Smith john-s-84@gmx.net Signed-off-by: Jason Andryuk jandryuk@gmail.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/i2c-hid/i2c-hid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -399,7 +399,7 @@ static void i2c_hid_get_input(struct i2c return; }
- if ((ret_size > size) || (ret_size <= 2)) { + if ((ret_size > size) || (ret_size < 2)) { dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", __func__, size, ret_size); return;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sergei Shtylyov sergei.shtylyov@cogentembedded.com
commit 8525d04ba8a6a9ecfa4bd619c988ca873a5fc2a4 upstream.
According to the latest revision 2.00 of the R-Car Gen2 manual, the LVDS and the bias circuit must be enabled after the LVDS I/O pins are enabled, not before. Fix the Gen2 LVDS startup sequence accordingly.
While at it, also fix the comment preceding the first LVDCR0 write that still talks about hardcoding the LVDS mode 0.
Fixes: 90374b5c25c9 ("drm/rcar-du: Add internal LVDS encoder support") Signed-off-by: Sergei Shtylyov sergei.shtylyov@cogentembedded.com Reviewed-by: Laurent Pinchart laurent.pinchart+renesas@ideasonboard.com Tested-by: Laurent Pinchart laurent.pinchart+renesas@ideasonboard.com Signed-off-by: Laurent Pinchart laurent.pinchart+renesas@ideasonboard.com [bwh: Backported to 3.16: - Mode is always 0 - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c @@ -87,10 +87,8 @@ static int rcar_du_lvdsenc_start(struct
rcar_lvds_write(lvds, LVDCHCR, lvdhcr);
- /* Select the input, hardcode mode 0, enable LVDS operation and turn - * bias circuitry on. - */ - lvdcr0 = LVDCR0_BEN | LVDCR0_LVEN; + /* Select the input and set the LVDS mode. */ + lvdcr0 = 0; if (rcrtc->index == 2) lvdcr0 |= LVDCR0_DUSEL; rcar_lvds_write(lvds, LVDCR0, lvdcr0); @@ -99,6 +97,10 @@ static int rcar_du_lvdsenc_start(struct rcar_lvds_write(lvds, LVDCR1, LVDCR1_CHSTBY(3) | LVDCR1_CHSTBY(2) | LVDCR1_CHSTBY(1) | LVDCR1_CHSTBY(0) | LVDCR1_CLKSTBY);
+ /* Enable LVDS operation and turn bias circuitry on. */ + lvdcr0 |= LVDCR0_BEN | LVDCR0_LVEN; + rcar_lvds_write(lvds, LVDCR0, lvdcr0); + /* Turn the PLL on, wait for the startup delay, and turn the output * on. */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Ferre nicolas.ferre@microchip.com
commit e8fd0adf105e132fd84545997bbef3d5edc2c9c1 upstream.
There are only 19 PIOB pins having primary names PB0-PB18. Not all of them have a 'C' function. So the pinctrl property mask ends up being the same as the other SoC of the at91sam9x5 series.
Reported-by: Marek Sieranski marek.sieranski@microchip.com Signed-off-by: Nicolas Ferre nicolas.ferre@microchip.com Signed-off-by: Alexandre Belloni alexandre.belloni@bootlin.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm/boot/dts/at91sam9g25.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/at91sam9g25.dtsi +++ b/arch/arm/boot/dts/at91sam9g25.dtsi @@ -20,7 +20,7 @@ atmel,mux-mask = < /* A B C */ 0xffffffff 0xffe0399f 0xc000001c /* pioA */ - 0x0007ffff 0x8000fe3f 0x00000000 /* pioB */ + 0x0007ffff 0x00047e3f 0x00000000 /* pioB */ 0x80000000 0x07c0ffff 0xb83fffff /* pioC */ 0x003fffff 0x003f8000 0x00000000 /* pioD */ >;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Charles Keepax ckeepax@opensource.cirrus.com
commit b8f9a03b741ddfdde4aa8b607fa7d88eb63a6338 upstream.
The current implementation is broken for regmaps that have a reg_stride, since it doesn't take the stride into account. Correct this by using the helper function to calculate the register offset.
Fixes: f01ee60fffa4 ("regmap: implement register striding") Signed-off-by: Charles Keepax ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown broonie@kernel.org [bwh: Backported to 3.16: Use simple multiplication instead of regmap_get_offset()] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/base/regmap/regmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -144,7 +144,7 @@ static bool regmap_volatile_range(struct unsigned int i;
for (i = 0; i < num; i++) - if (!regmap_volatile(map, reg + i)) + if (!regmap_volatile(map, reg + (i * map->reg_stride))) return false;
return true;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Brad Volkin bradley.d.volkin@intel.com
commit 00caf0199f66871b0e2c28d7c2079de0ce1d646c upstream.
The other paths in the command parser that reject a batch all log a message indicating the reason. We simply missed this one.
Signed-off-by: Brad Volkin bradley.d.volkin@intel.com Signed-off-by: Daniel Vetter daniel.vetter@ffwll.ch Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/i915/i915_cmd_parser.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/i915_cmd_parser.c +++ b/drivers/gpu/drm/i915/i915_cmd_parser.c @@ -887,8 +887,10 @@ static bool check_cmd(const struct intel * OACONTROL writes to only MI_LOAD_REGISTER_IMM commands. */ if (reg_addr == OACONTROL) { - if (desc->cmd.value == MI_LOAD_REGISTER_MEM) + if (desc->cmd.value == MI_LOAD_REGISTER_MEM) { + DRM_DEBUG_DRIVER("CMD: Rejected LRM to OACONTROL\n"); return false; + }
if (desc->cmd.value == MI_LOAD_REGISTER_IMM(1)) *oacontrol_set = (cmd[2] != 0);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Ma aaron.ma@canonical.com
commit ac75a041048b8c1f7418e27621ca5efda8571043 upstream.
When convert char array with signed int, if the inbuf[x] is negative then upper bits will be set to 1. Fix this by using u8 instead of char.
ret_size has to be at least 3, hid_input_report use it after minus 2 bytes.
Signed-off-by: Aaron Ma aaron.ma@canonical.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/i2c-hid/i2c-hid.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-)
--- a/drivers/hid/i2c-hid/i2c-hid.c +++ b/drivers/hid/i2c-hid/i2c-hid.c @@ -136,10 +136,10 @@ struct i2c_hid { * register of the HID * descriptor. */ unsigned int bufsize; /* i2c buffer size */ - char *inbuf; /* Input buffer */ - char *rawbuf; /* Raw Input buffer */ - char *cmdbuf; /* Command buffer */ - char *argsbuf; /* Command arguments buffer */ + u8 *inbuf; /* Input buffer */ + u8 *rawbuf; /* Raw Input buffer */ + u8 *cmdbuf; /* Command buffer */ + u8 *argsbuf; /* Command arguments buffer */
unsigned long flags; /* device flags */
@@ -373,7 +373,8 @@ static int i2c_hid_hwreset(struct i2c_cl
static void i2c_hid_get_input(struct i2c_hid *ihid) { - int ret, ret_size; + int ret; + u32 ret_size; int size = le16_to_cpu(ihid->hdesc.wMaxInputLength);
if (size > ihid->bufsize) @@ -398,7 +399,7 @@ static void i2c_hid_get_input(struct i2c return; }
- if (ret_size > size) { + if ((ret_size > size) || (ret_size <= 2)) { dev_err(&ihid->client->dev, "%s: incomplete report (%d/%d)\n", __func__, size, ret_size); return;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven geert+renesas@glider.be
commit afc7851fab8329eddcf321c9e0a58c893f351dd6 upstream.
The serial_pxa_ports[] array is indexed using a value derived from the "serialN" alias in DT, or from platform data, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Fixes: 699c20f3e6310aa2 ("serial: pxa: add OF support") Signed-off-by: Geert Uytterhoeven geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/serial/pxa.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/tty/serial/pxa.c +++ b/drivers/tty/serial/pxa.c @@ -888,6 +888,10 @@ static int serial_pxa_probe(struct platf sport->port.line = dev->id; else if (ret < 0) goto err_clk; + if (sport->port.line >= ARRAY_SIZE(serial_pxa_ports)) { + dev_err(&dev->dev, "serial%d out of range\n", sport->port.line); + return -EINVAL; + } snprintf(sport->name, PXA_NAME_LEN - 1, "UART%d", sport->port.line + 1);
sport->port.membase = ioremap(mmres->start, resource_size(mmres));
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Brown broonie@kernel.org
commit d5b98eb12420ce856caaf57dc5256eedc56a3747 upstream.
When doing a bulk read from a device which lacks raw I/O support we fall back to doing register at a time reads but we still use the raw formatters in order to render the data into the word size used by the device (since bulk reads still operate on the device word size rather than unsigned ints). This means that devices without raw formatting such as those that provide reg_read() are not supported. Provide handling for them by copying the values read into native endian values of the appropriate size.
Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/base/regmap/regmap.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-)
--- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -2246,7 +2246,34 @@ int regmap_bulk_read(struct regmap *map, &ival); if (ret != 0) return ret; - map->format.format_val(val + (i * val_bytes), ival, 0); + + if (map->format.format_val) { + map->format.format_val(val + (i * val_bytes), ival, 0); + } else { + /* Devices providing read and write + * operations can use the bulk I/O + * functions if they define a val_bytes, + * we assume that the values are native + * endian. + */ + u32 *u32 = val; + u16 *u16 = val; + u8 *u8 = val; + + switch (map->format.val_bytes) { + case 4: + u32[i] = ival; + break; + case 2: + u16[i] = ival; + break; + case 1: + u8[i] = ival; + break; + default: + return -EINVAL; + } + } } }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Gerasiov gq@redlab-i.ru
commit 823f7923833c6cc2b16e601546d607dcfb368004 upstream.
WCH CH382L is a PCI-E adapter with 1 parallel port. It is similair to CH382 but serial ports are not soldered on board. Detected as Serial controller: Device 1c00:3050 (rev 10) (prog-if 05 [16850])
Signed-off-by: Alexander Gerasiov gq@redlab-i.ru Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/parport/parport_pc.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/parport/parport_pc.c +++ b/drivers/parport/parport_pc.c @@ -2616,6 +2616,7 @@ enum parport_pc_pci_cards { netmos_9901, netmos_9865, quatech_sppxp100, + wch_ch382l, };
@@ -2678,6 +2679,7 @@ static struct parport_pc_pci { /* netmos_9901 */ { 1, { { 0, -1 }, } }, /* netmos_9865 */ { 1, { { 0, -1 }, } }, /* quatech_sppxp100 */ { 1, { { 0, 1 }, } }, + /* wch_ch382l */ { 1, { { 2, -1 }, } }, };
static const struct pci_device_id parport_pc_pci_tbl[] = { @@ -2767,6 +2769,8 @@ static const struct pci_device_id parpor /* Quatech SPPXP-100 Parallel port PCI ExpressCard */ { PCI_VENDOR_ID_QUATECH, PCI_DEVICE_ID_QUATECH_SPPXP_100, PCI_ANY_ID, PCI_ANY_ID, 0, 0, quatech_sppxp100 }, + /* WCH CH382L PCI-E single parallel port card */ + { 0x1c00, 0x3050, 0x1c00, 0x3050, 0, 0, wch_ch382l }, { 0, } /* terminate list */ }; MODULE_DEVICE_TABLE(pci, parport_pc_pci_tbl);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit e1a7418529e33bc4efc346324557251a16a3e79b upstream.
Currently the allocation of priv->oldaddr is not null checked which will lead to subsequent errors when accessing priv->oldaddr. Fix this with a null pointer check and a return of -ENOMEM on allocation failure.
Detected with Coccinelle: drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test, possible model on line 1723
Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Colin Ian King colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/rtl8192u/r8192U_core.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/staging/rtl8192u/r8192U_core.c +++ b/drivers/staging/rtl8192u/r8192U_core.c @@ -1893,6 +1893,8 @@ static short rtl8192_usb_initendpoints(s
priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL); priv->oldaddr = kmalloc(16, GFP_KERNEL); + if (!priv->oldaddr) + return -ENOMEM; oldaddr = priv->oldaddr; align = ((long)oldaddr) & 3; if (align) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Mazur krzysiek@podlesie.net
commit 4d1a535b8ec5e74b42dfd9dc809142653b2597f6 upstream.
glibc 2.26 removed the 'struct ucontext' to "improve" POSIX compliance and break programs, including User Mode Linux. Fix User Mode Linux by using POSIX ucontext_t.
This fixes:
arch/um/os-Linux/signal.c: In function 'hard_handler': arch/um/os-Linux/signal.c:163:22: error: dereferencing pointer to incomplete type 'struct ucontext' mcontext_t *mc = &uc->uc_mcontext; arch/x86/um/stub_segv.c: In function 'stub_segv_handler': arch/x86/um/stub_segv.c:16:13: error: dereferencing pointer to incomplete type 'struct ucontext' &uc->uc_mcontext);
Signed-off-by: Krzysztof Mazur krzysiek@podlesie.net Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/um/os-Linux/signal.c | 2 +- arch/x86/um/stub_segv.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/um/os-Linux/signal.c +++ b/arch/um/os-Linux/signal.c @@ -135,7 +135,7 @@ static void (*handlers[_NSIG])(int sig,
static void hard_handler(int sig, siginfo_t *si, void *p) { - struct ucontext *uc = p; + ucontext_t *uc = p; mcontext_t *mc = &uc->uc_mcontext; unsigned long pending = 1UL << sig;
--- a/arch/x86/um/stub_segv.c +++ b/arch/x86/um/stub_segv.c @@ -10,7 +10,7 @@ void __attribute__ ((__section__ (".__syscall_stub"))) stub_segv_handler(int sig, siginfo_t *info, void *p) { - struct ucontext *uc = p; + ucontext_t *uc = p;
GET_FAULTINFO_FROM_MC(*((struct faultinfo *) STUB_DATA), &uc->uc_mcontext);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jerome Brunet jbrunet@baylibre.com
commit fe3f338f0cb2ed4d4f06da054c21ae2f8a36ef2d upstream.
The mux documentation mentions the non-existing parameter width instead of mask, so just sed this.
The table field is missing in the documentation of clk_mux. Add a small blurb explaining what it is
Fixes: 9d9f78ed9af0 ("clk: basic clock hardware types") Signed-off-by: Jerome Brunet jbrunet@baylibre.com Signed-off-by: Michael Turquette mturquette@baylibre.com Signed-off-by: Stephen Boyd sboyd@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/linux/clk-provider.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/linux/clk-provider.h +++ b/include/linux/clk-provider.h @@ -356,8 +356,9 @@ struct clk *clk_register_divider_table(s * * @hw: handle between common and hardware-specific interfaces * @reg: register controlling multiplexer + * @table: array of register values corresponding to the parent index * @shift: shift to multiplexer bit field - * @width: width of mutliplexer bit field + * @mask: mask of mutliplexer bit field * @flags: hardware-specific flags * @lock: register lock *
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Frysinger vapier@chromium.org
commit 65d9982d7e523a1a8e7c9af012da0d166f72fc56 upstream.
ECMA-48 [1] (aka ISO 6429) has defined SGR 21 as "doubly underlined" since at least March 1984. The Linux kernel has treated it as SGR 22 "normal intensity" since it was added in Linux-0.96b in June 1992. Before that, it was simply ignored. Other terminal emulators have either ignored it, or treat it as double underline now. xterm for example added support in its 304 release (May 2014) [2] where it was previously ignoring it.
Changing this behavior shouldn't be an issue: - It isn't a named capability in ncurses's terminfo database, so no script is using libtinfo/libcurses to look this up, or using tput to query & output the right sequence. - Any script assuming SGR 21 will reset intensity in all terminals already do not work correctly on non-Linux VTs (including running under screen/tmux/etc...). - If someone has written a script that only runs in the Linux VT, and they're using SGR 21 (instead of SGR 22), the output should still be readable.
imo it's important to change this as the Linux VT's non-conformance is sometimes used as an argument for other terminal emulators to not implement SGR 21 at all, or do so incorrectly.
[1]: https://www.ecma-international.org/publications/standards/Ecma-048.htm [2]: https://github.com/ThomasDickey/xterm-snapshots/commit/2fd29cb98d214cb536bca...
Signed-off-by: Mike Frysinger vapier@chromium.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: adjust indentation] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/vt/vt.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1303,6 +1303,11 @@ static void csi_m(struct vc_data *vc) case 3: vc->vc_italic = 1; break; + case 21: + /* + * No console drivers support double underline, so + * convert it to a single underline. + */ case 4: vc->vc_underline = 1; break; @@ -1339,7 +1344,6 @@ static void csi_m(struct vc_data *vc) vc->vc_disp_ctrl = 1; vc->vc_toggle_meta = 1; break; - case 21: case 22: vc->vc_intensity = 1; break;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 02a5d6925cd34c3b774bdb8eefb057c40a30e870 upstream.
Although we apply the params_lock mutex to the whole read and write operations as well as snd_pcm_oss_change_params(), we may still face some races.
First off, the params_lock is taken inside the read and write loop. This is intentional for avoiding the too long locking, but it allows the in-between parameter change, which might lead to invalid pointers. We check the readiness of the stream and set up via snd_pcm_oss_make_ready() at the beginning of read and write, but it's called only once, by assuming that it remains ready in the rest.
Second, many ioctls that may change the actual parameters (i.e. setting runtime->oss.params=1) aren't protected, hence they can be processed in a half-baked state.
This patch is an attempt to plug these holes. The stream readiness check is moved inside the read/write inner loop, so that the stream is always set up in a proper state before further processing. Also, each ioctl that may change the parameter is wrapped with the params_lock for avoiding the races.
The issues were triggered by syzkaller in a few different scenarios, particularly the one below appearing as GPF in loopback_pos_update.
Reported-by: syzbot+c4227aec125487ec3efa@syzkaller.appspotmail.com Signed-off-by: Takashi Iwai tiwai@suse.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/oss/pcm_oss.c | 134 +++++++++++++++++++++++++++++++-------- 1 file changed, 106 insertions(+), 28 deletions(-)
--- a/sound/core/oss/pcm_oss.c +++ b/sound/core/oss/pcm_oss.c @@ -833,8 +833,8 @@ static int choose_rate(struct snd_pcm_su return snd_pcm_hw_param_near(substream, params, SNDRV_PCM_HW_PARAM_RATE, best_rate, NULL); }
-static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, - bool trylock) +/* call with params_lock held */ +static int snd_pcm_oss_change_params_locked(struct snd_pcm_substream *substream) { struct snd_pcm_runtime *runtime = substream->runtime; struct snd_pcm_hw_params *params, *sparams; @@ -848,11 +848,8 @@ static int snd_pcm_oss_change_params(str struct snd_mask sformat_mask; struct snd_mask mask;
- if (trylock) { - if (!(mutex_trylock(&runtime->oss.params_lock))) - return -EAGAIN; - } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) - return -ERESTARTSYS; + if (!runtime->oss.params) + return 0; sw_params = kmalloc(sizeof(*sw_params), GFP_KERNEL); params = kmalloc(sizeof(*params), GFP_KERNEL); sparams = kmalloc(sizeof(*sparams), GFP_KERNEL); @@ -1080,6 +1077,23 @@ failure: kfree(sw_params); kfree(params); kfree(sparams); + return err; +} + +/* this one takes the lock by itself */ +static int snd_pcm_oss_change_params(struct snd_pcm_substream *substream, + bool trylock) +{ + struct snd_pcm_runtime *runtime = substream->runtime; + int err; + + if (trylock) { + if (!(mutex_trylock(&runtime->oss.params_lock))) + return -EAGAIN; + } else if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; + + err = snd_pcm_oss_change_params_locked(substream); mutex_unlock(&runtime->oss.params_lock); return err; } @@ -1108,11 +1122,14 @@ static int snd_pcm_oss_get_active_substr return 0; }
+/* call with params_lock held */ static int snd_pcm_oss_prepare(struct snd_pcm_substream *substream) { int err; struct snd_pcm_runtime *runtime = substream->runtime;
+ if (!runtime->oss.prepare) + return 0; err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_PREPARE, NULL); if (err < 0) { pcm_dbg(substream->pcm, @@ -1132,8 +1149,6 @@ static int snd_pcm_oss_make_ready(struct struct snd_pcm_runtime *runtime; int err;
- if (substream == NULL) - return 0; runtime = substream->runtime; if (runtime->oss.params) { err = snd_pcm_oss_change_params(substream, false); @@ -1141,6 +1156,29 @@ static int snd_pcm_oss_make_ready(struct return err; } if (runtime->oss.prepare) { + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; + err = snd_pcm_oss_prepare(substream); + mutex_unlock(&runtime->oss.params_lock); + if (err < 0) + return err; + } + return 0; +} + +/* call with params_lock held */ +static int snd_pcm_oss_make_ready_locked(struct snd_pcm_substream *substream) +{ + struct snd_pcm_runtime *runtime; + int err; + + runtime = substream->runtime; + if (runtime->oss.params) { + err = snd_pcm_oss_change_params_locked(substream); + if (err < 0) + return err; + } + if (runtime->oss.prepare) { err = snd_pcm_oss_prepare(substream); if (err < 0) return err; @@ -1368,13 +1406,14 @@ static ssize_t snd_pcm_oss_write1(struct if (atomic_read(&substream->mmap_count)) return -ENXIO;
- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) - return tmp; while (bytes > 0) { if (mutex_lock_interruptible(&runtime->oss.params_lock)) { tmp = -ERESTARTSYS; break; } + tmp = snd_pcm_oss_make_ready_locked(substream); + if (tmp < 0) + goto err; if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { tmp = bytes; if (tmp + runtime->oss.buffer_used > runtime->oss.period_bytes) @@ -1475,13 +1514,14 @@ static ssize_t snd_pcm_oss_read1(struct if (atomic_read(&substream->mmap_count)) return -ENXIO;
- if ((tmp = snd_pcm_oss_make_ready(substream)) < 0) - return tmp; while (bytes > 0) { if (mutex_lock_interruptible(&runtime->oss.params_lock)) { tmp = -ERESTARTSYS; break; } + tmp = snd_pcm_oss_make_ready_locked(substream); + if (tmp < 0) + goto err; if (bytes < runtime->oss.period_bytes || runtime->oss.buffer_used > 0) { if (runtime->oss.buffer_used == 0) { tmp = snd_pcm_oss_read2(substream, runtime->oss.buffer, runtime->oss.period_bytes, 1); @@ -1537,10 +1577,12 @@ static int snd_pcm_oss_reset(struct snd_ continue; runtime = substream->runtime; snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); + mutex_lock(&runtime->oss.params_lock); runtime->oss.prepare = 1; runtime->oss.buffer_used = 0; runtime->oss.prev_hw_ptr_period = 0; runtime->oss.period_ptr = 0; + mutex_unlock(&runtime->oss.params_lock); } return 0; } @@ -1626,9 +1668,10 @@ static int snd_pcm_oss_sync(struct snd_p goto __direct; if ((err = snd_pcm_oss_make_ready(substream)) < 0) return err; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; format = snd_pcm_oss_format_from(runtime->oss.format); width = snd_pcm_format_physical_width(format); - mutex_lock(&runtime->oss.params_lock); if (runtime->oss.buffer_used > 0) { #ifdef OSS_DEBUG pcm_dbg(substream->pcm, "sync: buffer_used\n"); @@ -1696,7 +1739,9 @@ static int snd_pcm_oss_sync(struct snd_p substream->f_flags = saved_f_flags; if (err < 0) return err; + mutex_lock(&runtime->oss.params_lock); runtime->oss.prepare = 1; + mutex_unlock(&runtime->oss.params_lock); }
substream = pcm_oss_file->streams[SNDRV_PCM_STREAM_CAPTURE]; @@ -1707,8 +1752,10 @@ static int snd_pcm_oss_sync(struct snd_p err = snd_pcm_kernel_ioctl(substream, SNDRV_PCM_IOCTL_DROP, NULL); if (err < 0) return err; + mutex_lock(&runtime->oss.params_lock); runtime->oss.buffer_used = 0; runtime->oss.prepare = 1; + mutex_unlock(&runtime->oss.params_lock); } return 0; } @@ -1727,10 +1774,13 @@ static int snd_pcm_oss_set_rate(struct s rate = 1000; else if (rate > 192000) rate = 192000; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (runtime->oss.rate != rate) { runtime->oss.params = 1; runtime->oss.rate = rate; } + mutex_unlock(&runtime->oss.params_lock); } return snd_pcm_oss_get_rate(pcm_oss_file); } @@ -1758,10 +1808,13 @@ static int snd_pcm_oss_set_channels(stru if (substream == NULL) continue; runtime = substream->runtime; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (runtime->oss.channels != channels) { runtime->oss.params = 1; runtime->oss.channels = channels; } + mutex_unlock(&runtime->oss.params_lock); } return snd_pcm_oss_get_channels(pcm_oss_file); } @@ -1845,10 +1898,13 @@ static int snd_pcm_oss_set_format(struct if (substream == NULL) continue; runtime = substream->runtime; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (runtime->oss.format != format) { runtime->oss.params = 1; runtime->oss.format = format; } + mutex_unlock(&runtime->oss.params_lock); } } return snd_pcm_oss_get_format(pcm_oss_file); @@ -1868,8 +1924,6 @@ static int snd_pcm_oss_set_subdivide1(st { struct snd_pcm_runtime *runtime;
- if (substream == NULL) - return 0; runtime = substream->runtime; if (subdivide == 0) { subdivide = runtime->oss.subdivision; @@ -1893,9 +1947,16 @@ static int snd_pcm_oss_set_subdivide(str
for (idx = 1; idx >= 0; --idx) { struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; + struct snd_pcm_runtime *runtime; + if (substream == NULL) continue; - if ((err = snd_pcm_oss_set_subdivide1(substream, subdivide)) < 0) + runtime = substream->runtime; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; + err = snd_pcm_oss_set_subdivide1(substream, subdivide); + mutex_unlock(&runtime->oss.params_lock); + if (err < 0) return err; } return err; @@ -1905,8 +1966,6 @@ static int snd_pcm_oss_set_fragment1(str { struct snd_pcm_runtime *runtime;
- if (substream == NULL) - return 0; runtime = substream->runtime; if (runtime->oss.subdivision || runtime->oss.fragshift) return -EINVAL; @@ -1926,9 +1985,16 @@ static int snd_pcm_oss_set_fragment(stru
for (idx = 1; idx >= 0; --idx) { struct snd_pcm_substream *substream = pcm_oss_file->streams[idx]; + struct snd_pcm_runtime *runtime; + if (substream == NULL) continue; - if ((err = snd_pcm_oss_set_fragment1(substream, val)) < 0) + runtime = substream->runtime; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; + err = snd_pcm_oss_set_fragment1(substream, val); + mutex_unlock(&runtime->oss.params_lock); + if (err < 0) return err; } return err; @@ -2012,6 +2078,9 @@ static int snd_pcm_oss_set_trigger(struc } if (psubstream) { runtime = psubstream->runtime; + cmd = 0; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (trigger & PCM_ENABLE_OUTPUT) { if (runtime->oss.trigger) goto _skip1; @@ -2029,13 +2098,19 @@ static int snd_pcm_oss_set_trigger(struc cmd = SNDRV_PCM_IOCTL_DROP; runtime->oss.prepare = 1; } - err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL); - if (err < 0) - return err; - } _skip1: + mutex_unlock(&runtime->oss.params_lock); + if (cmd) { + err = snd_pcm_kernel_ioctl(psubstream, cmd, NULL); + if (err < 0) + return err; + } + } if (csubstream) { runtime = csubstream->runtime; + cmd = 0; + if (mutex_lock_interruptible(&runtime->oss.params_lock)) + return -ERESTARTSYS; if (trigger & PCM_ENABLE_INPUT) { if (runtime->oss.trigger) goto _skip2; @@ -2050,11 +2125,14 @@ static int snd_pcm_oss_set_trigger(struc cmd = SNDRV_PCM_IOCTL_DROP; runtime->oss.prepare = 1; } - err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL); - if (err < 0) - return err; - } _skip2: + mutex_unlock(&runtime->oss.params_lock); + if (cmd) { + err = snd_pcm_kernel_ioctl(csubstream, cmd, NULL); + if (err < 0) + return err; + } + } return 0; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o tytso@mit.edu
commit 044e6e3d74a3d7103a0c8a9305dfd94d64000660 upstream.
When reading the inode or block allocation bitmap, if the bitmap needs to be initialized, do not update the checksum in the block group descriptor. That's because we're not set up to journal those changes. Instead, just set the verified bit on the bitmap block, so that it's not necessary to validate the checksum.
When a block or inode allocation actually happens, at that point the checksum will be calculated, and update of the bg descriptor block will be properly journalled.
Signed-off-by: Theodore Ts'o tytso@mit.edu [bwh: Backported to 3.16: - Deleted code is slightly different - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ext4/balloc.c | 3 +-- fs/ext4/ialloc.c | 47 +++-------------------------------------------- 2 files changed, 4 insertions(+), 46 deletions(-)
--- a/fs/ext4/balloc.c +++ b/fs/ext4/balloc.c @@ -239,8 +239,6 @@ static int ext4_init_block_bitmap(struct */ ext4_mark_bitmap_end(num_clusters_in_group(sb, block_group), sb->s_blocksize * 8, bh->b_data); - ext4_block_bitmap_csum_set(sb, block_group, gdp, bh); - ext4_group_desc_csum_set(sb, block_group, gdp); return 0; }
@@ -464,6 +462,7 @@ ext4_read_block_bitmap_nowait(struct sup err = ext4_init_block_bitmap(sb, bh, block_group, desc); set_bitmap_uptodate(bh); set_buffer_uptodate(bh); + set_buffer_verified(bh); ext4_unlock_group(sb, block_group); unlock_buffer(bh); if (err) --- a/fs/ext4/ialloc.c +++ b/fs/ext4/ialloc.c @@ -64,45 +64,6 @@ void ext4_mark_bitmap_end(int start_bit, memset(bitmap + (i >> 3), 0xff, (end_bit - i) >> 3); }
-/* Initializes an uninitialized inode bitmap */ -static unsigned ext4_init_inode_bitmap(struct super_block *sb, - struct buffer_head *bh, - ext4_group_t block_group, - struct ext4_group_desc *gdp) -{ - struct ext4_group_info *grp; - struct ext4_sb_info *sbi = EXT4_SB(sb); - J_ASSERT_BH(bh, buffer_locked(bh)); - - /* If checksum is bad mark all blocks and inodes use to prevent - * allocation, essentially implementing a per-group read-only flag. */ - if (!ext4_group_desc_csum_verify(sb, block_group, gdp)) { - ext4_error(sb, "Checksum bad for group %u", block_group); - grp = ext4_get_group_info(sb, block_group); - if (!EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) - percpu_counter_sub(&sbi->s_freeclusters_counter, - grp->bb_free); - set_bit(EXT4_GROUP_INFO_BBITMAP_CORRUPT_BIT, &grp->bb_state); - if (!EXT4_MB_GRP_IBITMAP_CORRUPT(grp)) { - int count; - count = ext4_free_inodes_count(sb, gdp); - percpu_counter_sub(&sbi->s_freeinodes_counter, - count); - } - set_bit(EXT4_GROUP_INFO_IBITMAP_CORRUPT_BIT, &grp->bb_state); - return 0; - } - - memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); - ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), sb->s_blocksize * 8, - bh->b_data); - ext4_inode_bitmap_csum_set(sb, block_group, gdp, bh, - EXT4_INODES_PER_GROUP(sb) / 8); - ext4_group_desc_csum_set(sb, block_group, gdp); - - return EXT4_INODES_PER_GROUP(sb); -} - void ext4_end_bitmap_read(struct buffer_head *bh, int uptodate) { if (uptodate) { @@ -166,7 +127,9 @@ ext4_read_inode_bitmap(struct super_bloc put_bh(bh); return NULL; } - ext4_init_inode_bitmap(sb, bh, block_group, desc); + memset(bh->b_data, 0, (EXT4_INODES_PER_GROUP(sb) + 7) / 8); + ext4_mark_bitmap_end(EXT4_INODES_PER_GROUP(sb), + sb->s_blocksize * 8, bh->b_data); set_bitmap_uptodate(bh); set_buffer_uptodate(bh); set_buffer_verified(bh);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck linux@roeck-us.net
commit ecb29abd4cb0670c616fb563a078f25d777ce530 upstream.
A negative page register value means that no page needs to be selected. This is used by status register read operations and needs to be accepted. The failure to do so so results in missed status and limit registers.
Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hwmon/pmbus/adm1275.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/hwmon/pmbus/adm1275.c +++ b/drivers/hwmon/pmbus/adm1275.c @@ -67,7 +67,7 @@ static int adm1275_read_word_data(struct const struct adm1275_data *data = to_adm1275_data(info); int ret = 0;
- if (page) + if (page > 0) return -ENXIO;
switch (reg) { @@ -144,7 +144,7 @@ static int adm1275_write_word_data(struc { int ret;
- if (page) + if (page > 0) return -ENXIO;
switch (reg) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Khoroshilov khoroshilov@ispras.ru
commit 5738a09d58d5ad2871f1f9a42bf6a3aa9ece5b3c upstream.
vmxnet3_drv does not check dma_addr with dma_mapping_error() after mapping dma memory. The patch adds the checks and tries to handle failures.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov khoroshilov@ispras.ru Acked-by: Shrikrishna Khare skhare@vmware.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context, indentation] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/vmxnet3/vmxnet3_drv.c | 71 ++++++++++++++++++++++++++----- 1 file changed, 60 insertions(+), 11 deletions(-)
--- a/drivers/net/vmxnet3/vmxnet3_drv.c +++ b/drivers/net/vmxnet3/vmxnet3_drv.c @@ -587,6 +587,12 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_r &adapter->pdev->dev, rbi->skb->data, rbi->len, PCI_DMA_FROMDEVICE); + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + dev_kfree_skb_any(rbi->skb); + rq->stats.rx_buf_alloc_failure++; + break; + } } else { /* rx buffer skipped by the device */ } @@ -605,13 +611,18 @@ vmxnet3_rq_alloc_rx_buf(struct vmxnet3_r &adapter->pdev->dev, rbi->page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE); + if (dma_mapping_error(&adapter->pdev->dev, + rbi->dma_addr)) { + put_page(rbi->page); + rq->stats.rx_buf_alloc_failure++; + break; + } } else { /* rx buffers skipped by the device */ } val = VMXNET3_RXD_BTYPE_BODY << VMXNET3_RXD_BTYPE_SHIFT; }
- BUG_ON(rbi->dma_addr == 0); gd->rxd.addr = cpu_to_le64(rbi->dma_addr); gd->dword[2] = cpu_to_le32((!ring->gen << VMXNET3_RXD_GEN_SHIFT) | val | rbi->len); @@ -655,7 +666,7 @@ vmxnet3_append_frag(struct sk_buff *skb, }
-static void +static int vmxnet3_map_pkt(struct sk_buff *skb, struct vmxnet3_tx_ctx *ctx, struct vmxnet3_tx_queue *tq, struct pci_dev *pdev, struct vmxnet3_adapter *adapter) @@ -715,6 +726,8 @@ vmxnet3_map_pkt(struct sk_buff *skb, str tbi->dma_addr = dma_map_single(&adapter->pdev->dev, skb->data + buf_offset, buf_size, PCI_DMA_TODEVICE); + if (dma_mapping_error(&adapter->pdev->dev, tbi->dma_addr)) + return -EFAULT;
tbi->len = buf_size;
@@ -755,6 +768,8 @@ vmxnet3_map_pkt(struct sk_buff *skb, str tbi->dma_addr = skb_frag_dma_map(&adapter->pdev->dev, frag, buf_offset, buf_size, DMA_TO_DEVICE); + if (dma_mapping_error(&adapter->pdev->dev, tbi->dma_addr)) + return -EFAULT;
tbi->len = buf_size;
@@ -782,6 +797,8 @@ vmxnet3_map_pkt(struct sk_buff *skb, str /* set the last buf_info for the pkt */ tbi->skb = skb; tbi->sop_idx = ctx->sop_txd - tq->tx_ring.base; + + return 0; }
@@ -1006,7 +1023,8 @@ vmxnet3_tq_xmit(struct sk_buff *skb, str }
/* fill tx descs related to addr & len */ - vmxnet3_map_pkt(skb, &ctx, tq, adapter->pdev, adapter); + if (vmxnet3_map_pkt(skb, &ctx, tq, adapter->pdev, adapter)) + goto unlock_drop_pkt;
/* setup the EOP desc */ ctx.eop_txd->dword[3] = cpu_to_le32(VMXNET3_TXD_CQ | VMXNET3_TXD_EOP); @@ -1170,6 +1188,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx struct vmxnet3_rx_buf_info *rbi; struct sk_buff *skb, *new_skb = NULL; struct page *new_page = NULL; + dma_addr_t new_dma_addr; int num_to_alloc; struct Vmxnet3_RxDesc *rxd; u32 idx, ring_idx; @@ -1227,6 +1246,21 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx skip_page_frags = true; goto rcd_done; } + new_dma_addr = dma_map_single(&adapter->pdev->dev, + new_skb->data, rbi->len, + PCI_DMA_FROMDEVICE); + if (dma_mapping_error(&adapter->pdev->dev, + new_dma_addr)) { + dev_kfree_skb(new_skb); + /* Skb allocation failed, do not handover this + * skb to stack. Reuse it. Drop the existing pkt + */ + rq->stats.rx_buf_alloc_failure++; + ctx->skb = NULL; + rq->stats.drop_total++; + skip_page_frags = true; + goto rcd_done; + }
dma_unmap_single(&adapter->pdev->dev, rbi->dma_addr, rbi->len, @@ -1243,9 +1277,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx
/* Immediate refill */ rbi->skb = new_skb; - rbi->dma_addr = dma_map_single(&adapter->pdev->dev, - rbi->skb->data, rbi->len, - PCI_DMA_FROMDEVICE); + rbi->dma_addr = new_dma_addr; rxd->addr = cpu_to_le64(rbi->dma_addr); rxd->len = rbi->len;
@@ -1275,6 +1307,19 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx skip_page_frags = true; goto rcd_done; } + new_dma_addr = dma_map_page(&adapter->pdev->dev, + rbi->page, + 0, PAGE_SIZE, + PCI_DMA_FROMDEVICE); + if (dma_mapping_error(&adapter->pdev->dev, + new_dma_addr)) { + put_page(new_page); + rq->stats.rx_buf_alloc_failure++; + dev_kfree_skb(ctx->skb); + ctx->skb = NULL; + skip_page_frags = true; + goto rcd_done; + }
if (rcd->len) { dma_unmap_page(&adapter->pdev->dev, @@ -1286,10 +1331,7 @@ vmxnet3_rq_rx_complete(struct vmxnet3_rx
/* Immediate refill */ rbi->page = new_page; - rbi->dma_addr = dma_map_page(&adapter->pdev->dev, - rbi->page, - 0, PAGE_SIZE, - PCI_DMA_FROMDEVICE); + rbi->dma_addr = new_dma_addr; rxd->addr = cpu_to_le64(rbi->dma_addr); rxd->len = rbi->len; } @@ -2065,7 +2107,8 @@ vmxnet3_set_mc(struct net_device *netdev PCI_DMA_TODEVICE); }
- if (new_table_pa) { + if (!dma_mapping_error(&adapter->pdev->dev, + new_table_pa)) { new_mode |= VMXNET3_RXM_MCAST; rxConf->mfTablePA = cpu_to_le64(new_table_pa); } else { @@ -2976,6 +3019,11 @@ vmxnet3_probe_device(struct pci_dev *pde adapter->adapter_pa = dma_map_single(&adapter->pdev->dev, adapter, sizeof(struct vmxnet3_adapter), PCI_DMA_TODEVICE); + if (dma_mapping_error(&adapter->pdev->dev, adapter->adapter_pa)) { + dev_err(&pdev->dev, "Failed to map dma\n"); + err = -EFAULT; + goto err_dma_map; + } adapter->shared = dma_alloc_coherent( &adapter->pdev->dev, sizeof(struct Vmxnet3_DriverShared), @@ -3129,6 +3177,7 @@ err_alloc_queue_desc: err_alloc_shared: dma_unmap_single(&adapter->pdev->dev, adapter->adapter_pa, sizeof(struct vmxnet3_adapter), PCI_DMA_TODEVICE); +err_dma_map: free_netdev(netdev); return err; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
Sorry for the late response, this just hit the kernel in Debian Jessie (oldstable) a few days ago.
From: Alexey Khoroshilov khoroshilov@ispras.ru
commit 5738a09d58d5ad2871f1f9a42bf6a3aa9ece5b3c upstream.
vmxnet3_drv does not check dma_addr with dma_mapping_error() after mapping dma memory. The patch adds the checks and tries to handle failures.
We are seeing kernel panics/machine freezes/BUGs with the new 3.16.64 from Debian. I bisected it with the vanilla stable kernel and it boiled down to this commit. VMs of multiple nodes of our vmware cluster are affected. The bug can be triggered in multiple ways, I have seen it when an external network request is served, when installing packages over the network and performing a git clone.
I will try to get the specific versions of the involved hardware components next week. The 4.9.144 stable kernel (which also contains this commit works fine on the affected machine)
Below you can see the dmesg log of one affected machine:
[ 1.772994] vmxnet3 0000:03:00.0 eth0: intr type 3, mode 0, 5 vectors allocated [ 1.774079] vmxnet3 0000:03:00.0 eth0: NIC Link is Up 10000 Mbps [ 9.622787] gunicorn: worke: Corrupted page table at address 362d000 [ 9.622817] PGD 80000000753b7067 PUD 6f84e067 PMD 76cbb067 PTE 6461685368637845 [ 9.622848] Bad pagetable: 000d [#1] SMP [ 9.622866] Modules linked in: binfmt_misc ip6table_filter ip6_tables ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 xt_comment xt_multiport xt_conntrack nf_conntrack iptable_filter ip_tables x_tables crc32_pclmul crc32c_intel aesni_intel aes_x86_64 glue_helper lrw vmw_vsock_vmci_transport vsock gf128mul vmw_balloon ppdev evdev ablk_helper cryptd pcspkr serio_raw vmwgfx drm_kms_helper ttm ac processor battery button parport_pc thermal_sys drm parport shpchp vmw_vmci autofs4 ext4 crc16 mbcache jbd2 dm_mod sg sr_mod cdrom sd_mod crc_t10dif crct10dif_generic ata_generic crct10dif_pclmul crct10dif_common psmouse vmxnet3 ata_piix mptspi scsi_transport_spi mptscsih libata i2c_piix4 mptbase scsi_mod i2c_core [ 9.623168] CPU: 1 PID: 717 Comm: gunicorn: worke Not tainted 3.16.59+ #18 [ 9.623191] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.623225] task: ffff88007835e090 ti: ffff88006f834000 task.ti: ffff88006f834000 [ 9.623249] RIP: 0033:[<00007fb4bfb6d123>] [<00007fb4bfb6d123>] 0x7fb4bfb6d123 [ 9.623278] RSP: 002b:00007fff6e4718b8 EFLAGS: 00010206 [ 9.623296] RAX: fffffffffff7b8c0 RBX: 00000000036aadc0 RCX: 00000000036b1740 [ 9.623318] RDX: 000000000372f500 RSI: 0000000003626690 RDI: 00000000036aade0 [ 9.623341] RBP: 0000000000084740 R08: fffffffffff7b8b0 R09: fffffffffff7b8a0 [ 9.623363] R10: fffffffffff7b890 R11: 0000000000000037 R12: 0000000000085760 [ 9.623385] R13: 00000000004cd810 R14: 0000000000001000 R15: 0000000003589dd0 [ 9.623408] FS: 00007fb4c0ffe700(0000) GS:ffff88007fc80000(0000) knlGS:0000000000000000 [ 9.623433] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 9.623451] CR2: 000000000362d000 CR3: 00000000753fa000 CR4: 0000000000360770 [ 9.623524] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 9.623547] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 9.623577] RIP [<00007fb4bfb6d123>] 0x7fb4bfb6d123 [ 9.623600] RSP <00007fff6e4718b8> [ 9.623614] ---[ end trace f863ea854df6c9a5 ]--- [ 9.624169] swap_free: Bad swap file entry 1001a1e5a32423f7 [ 9.624189] BUG: Bad page map in process gunicorn: worke pte:417869736f702024 pmd:76cbb067 [ 9.624215] addr:0000000003600000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3600 [ 9.625444] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G D 3.16.59+ #18 [ 9.626070] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.627321] 0000000000000000 ffffffff8151fda4 0000000003600000 ffff8800753700d0 [ 9.627968] ffffffff8116f380 0000000000000008 ffff880076cbb000 417869736f702024 [ 9.628596] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003600000 [ 9.629213] Call Trace: [ 9.629811] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.630413] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.630991] [<ffffffff811707a2>] ? unmap_single_vma+0x4c2/0x830 [ 9.631556] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.632106] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.632640] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.633162] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.633677] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.634171] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.634653] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.635129] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.635629] BUG: Bad page map in process gunicorn: worke pte:2420746e756f6363 pmd:76cbb067 [ 9.636111] addr:0000000003601000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3601 [ 9.637080] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.637594] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.638611] 0000000000000000 ffffffff8151fda4 0000000003601000 ffff8800753700d0 [ 9.639145] ffffffff8116f380 ffffffff8116f380 ffff880076cbb008 2420746e756f6363 [ 9.639671] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003601000 [ 9.640203] Call Trace: [ 9.640737] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.641268] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.641798] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.642320] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.642839] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.643357] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.643867] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.644359] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.644837] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.645304] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.645758] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.646196] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.646634] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.647078] BUG: Bad page map in process gunicorn: worke pte:4d68637845736d20 pmd:76cbb067 [ 9.647552] addr:0000000003602000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3602 [ 9.648420] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.648876] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.649810] 0000000000000000 ffffffff8151fda4 0000000003602000 ffff8800753700d0 [ 9.650310] ffffffff8116f380 ffffffff8116f380 ffff880076cbb010 4d68637845736d20 [ 9.650827] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003602000 [ 9.651341] Call Trace: [ 9.651846] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.652362] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.652903] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.653419] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.653917] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.654406] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.654879] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.655341] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.655789] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.656221] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.656647] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.657062] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.657487] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.657912] BUG: Bad page map in process gunicorn: worke pte:614d786f626c6961 pmd:76cbb067 [ 9.658331] addr:0000000003603000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3603 [ 9.659218] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.659676] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.660610] 0000000000000000 ffffffff8151fda4 0000000003603000 ffff8800753700d0 [ 9.661110] ffffffff8116f380 ffffffff8116f380 ffff880076cbb018 614d786f626c6961 [ 9.661620] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003603000 [ 9.662132] Call Trace: [ 9.662637] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.663156] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.663673] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.664182] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.664686] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.665175] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.665649] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.666111] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.666559] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.666992] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.667425] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.667841] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.668252] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.668676] BUG: Bad page map in process gunicorn: worke pte:6c6f50726567616e pmd:76cbb067 [ 9.669096] addr:0000000003604000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3604 [ 9.669951] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.670407] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.671345] 0000000000000000 ffffffff8151fda4 0000000003604000 ffff8800753700d0 [ 9.671851] ffffffff8116f380 ffffffff8116f380 ffff880076cbb020 6c6f50726567616e [ 9.672357] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003604000 [ 9.672870] Call Trace: [ 9.673376] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.673892] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.674410] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.674924] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.675424] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.675912] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.676385] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.676848] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.677296] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.677744] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.678165] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.678579] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.678990] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.679410] BUG: Bad page map in process gunicorn: worke pte:414d202920796369 pmd:76cbb067 [ 9.679829] addr:0000000003605000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3605 [ 9.680682] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.681137] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.682076] 0000000000000000 ffffffff8151fda4 0000000003605000 ffff8800753700d0 [ 9.682575] ffffffff8116f380 ffffffff8116f380 ffff880076cbb028 414d202920796369 [ 9.683079] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003605000 [ 9.683593] Call Trace: [ 9.684098] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.684620] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.685137] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.685647] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.686144] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.686633] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.687106] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.687580] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.688027] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.688460] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.688887] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.689301] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.689712] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.690131] BUG: Bad page map in process gunicorn: worke pte:49776f6873282059 pmd:76cbb067 [ 9.690551] addr:0000000003606000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3606 [ 9.691424] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.691881] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.692816] 0000000000000000 ffffffff8151fda4 0000000003606000 ffff8800753700d0 [ 9.693315] ffffffff8116f380 ffffffff8116f380 ffff880076cbb030 49776f6873282059 [ 9.693825] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003606000 [ 9.694338] Call Trace: [ 9.694843] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.695361] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.695878] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.696387] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.696891] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.697379] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.697866] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.698328] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.698777] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.699215] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.699636] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.700051] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.700468] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.700909] BUG: Bad page map in process gunicorn: worke pte:737365726464416e pmd:76cbb067 [ 9.701327] addr:0000000003607000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3607 [ 9.702181] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.702636] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.703592] 0000000000000000 ffffffff8151fda4 0000000003607000 ffff8800753700d0 [ 9.704092] ffffffff8116f380 ffffffff8116f380 ffff880076cbb038 737365726464416e [ 9.704597] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003607000 [ 9.705110] Call Trace: [ 9.705719] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.706305] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.706936] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.707492] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.707991] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.708487] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.708962] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.709426] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.709881] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.710315] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.710743] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.711159] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.711572] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.712000] BUG: Bad page map in process gunicorn: worke pte:6c2024206b6f6f42 pmd:76cbb067 [ 9.712422] addr:0000000003608000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3608 [ 9.713280] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.713737] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.714681] 0000000000000000 ffffffff8151fda4 0000000003608000 ffff8800753700d0 [ 9.715186] ffffffff8116f380 ffffffff8116f380 ffff880076cbb040 6c2024206b6f6f42 [ 9.715698] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003608000 [ 9.716212] Call Trace: [ 9.716719] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.717237] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.717770] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.718281] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.718780] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.719270] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.719758] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.720222] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.720677] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.721111] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.721533] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.721954] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.722366] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.722791] BUG: Bad page map in process gunicorn: worke pte:6378457963616765 pmd:76cbb067 [ 9.723226] addr:0000000003609000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3609 [ 9.724088] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.724550] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.725491] 0000000000000000 ffffffff8151fda4 0000000003609000 ffff8800753700d0 [ 9.725991] ffffffff8116f380 ffffffff8116f380 ffff880076cbb048 6378457963616765 [ 9.726496] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003609000 [ 9.727008] Call Trace: [ 9.727534] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.728050] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.728568] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.729081] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.729580] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.730069] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.730549] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.731012] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.731461] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.731899] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.732326] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.732741] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.733153] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.733582] BUG: Bad page map in process gunicorn: worke pte:204e4465676e6168 pmd:76cbb067 [ 9.734002] addr:000000000360a000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:360a [ 9.734857] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.735322] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.736257] 0000000000000000 ffffffff8151fda4 000000000360a000 ffff8800753700d0 [ 9.736770] ffffffff8116f380 ffffffff8116f380 ffff880076cbb050 204e4465676e6168 [ 9.737276] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000360a000 [ 9.737806] Call Trace: [ 9.738314] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.738830] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.739347] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.739856] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.740359] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.740853] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.741327] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.741789] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.742238] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.742676] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.743097] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.743518] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.743935] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.744365] swap_free: Bad swap file entry 1a01e721eea324b7 [ 9.744771] BUG: Bad page map in process gunicorn: worke pte:68637845736d2024 pmd:76cbb067 [ 9.745190] addr:000000000360b000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:360b [ 9.746077] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.746546] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.747512] 0000000000000000 ffffffff8151fda4 000000000360b000 ffff8800753700d0 [ 9.748022] ffffffff8116f380 000000000000000d ffff880076cbb058 68637845736d2024 [ 9.748534] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000360b000 [ 9.749052] Call Trace: [ 9.749562] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.750087] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.750613] [<ffffffff811707a2>] ? unmap_single_vma+0x4c2/0x830 [ 9.751123] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.751621] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.752114] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.752586] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.753045] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.753494] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.753926] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.754354] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.754805] BUG: Bad page map in process gunicorn: worke pte:61447972616e6143 pmd:76cbb067 [ 9.755255] addr:000000000360c000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:360c [ 9.756128] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.756594] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.757577] 0000000000000000 ffffffff8151fda4 000000000360c000 ffff8800753700d0 [ 9.758087] ffffffff8116f380 ffffffff8116f380 ffff880076cbb060 61447972616e6143 [ 9.758607] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000360c000 [ 9.759132] Call Trace: [ 9.759650] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.760177] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.760711] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.761232] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.761752] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.762275] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.762780] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.763272] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.763761] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.764233] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.764687] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.765125] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.765555] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.765999] BUG: Bad page map in process gunicorn: worke pte:6568202420326174 pmd:76cbb067 [ 9.766438] addr:000000000360d000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:360d [ 9.767325] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.767799] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.768732] 0000000000000000 ffffffff8151fda4 000000000360d000 ffff8800753700d0 [ 9.769231] ffffffff8116f380 ffffffff8116f380 ffff880076cbb068 6568202420326174 [ 9.769736] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000360d000 [ 9.770253] Call Trace: [ 9.770771] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.771290] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.771807] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.772322] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.772820] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.773309] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.773789] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.774251] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.774699] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.775135] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.775556] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.775977] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.776388] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.776814] BUG: Bad page map in process gunicorn: worke pte:7363697473697275 pmd:76cbb067 [ 9.777234] addr:000000000360e000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:360e [ 9.778105] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.778561] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.779498] 0000000000000000 ffffffff8151fda4 000000000360e000 ffff8800753700d0 [ 9.780003] ffffffff8116f380 ffffffff8116f380 ffff880076cbb070 7363697473697275 [ 9.780514] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000360e000 [ 9.781027] Call Trace: [ 9.781533] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.782054] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.782572] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.783087] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.783593] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.784082] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.784556] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.785019] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.785468] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.785902] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.786323] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.786744] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.787155] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.787598] swap_free: Bad swap file entry 180121eea324b7f6 [ 9.788001] BUG: Bad page map in process gunicorn: worke pte:637845736d202420 pmd:76cbb067 [ 9.788421] addr:000000000360f000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:360f [ 9.789290] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.789748] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.790698] 0000000000000000 ffffffff8151fda4 000000000360f000 ffff8800753700d0 [ 9.791202] ffffffff8116f380 000000000000000c ffff880076cbb078 637845736d202420 [ 9.791716] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000360f000 [ 9.792234] Call Trace: [ 9.792744] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.793263] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.793792] [<ffffffff811707a2>] ? unmap_single_vma+0x4c2/0x830 [ 9.794303] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.794800] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.795284] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.795756] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.796215] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.796664] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.797096] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.797540] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.797979] swap_free: Bad swap file entry 100122e467a466aa [ 9.798398] BUG: Bad page map in process gunicorn: worke pte:43746e616e655468 pmd:76cbb067 [ 9.798832] addr:0000000003610000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3610 [ 9.799738] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.800211] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.801201] 0000000000000000 ffffffff8151fda4 0000000003610000 ffff8800753700d0 [ 9.801717] ffffffff8116f380 0000000000000008 ffff880076cbb080 43746e616e655468 [ 9.802240] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003610000 [ 9.802775] Call Trace: [ 9.803300] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.803833] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.804366] [<ffffffff811707a2>] ? unmap_single_vma+0x4c2/0x830 [ 9.804901] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.805429] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.805952] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.806456] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.806946] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.807424] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.807902] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.808357] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.808821] BUG: Bad page map in process gunicorn: worke pte:24207972746e756f pmd:76cbb067 [ 9.809276] addr:0000000003611000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3611 [ 9.810180] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.810648] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.811615] 0000000000000000 ffffffff8151fda4 0000000003611000 ffff8800753700d0 [ 9.812125] ffffffff8116f380 ffffffff8116f380 ffff880076cbb088 24207972746e756f [ 9.812641] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003611000 [ 9.813165] Call Trace: [ 9.813682] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.814210] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.814746] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.815269] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.815790] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.816309] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.816821] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.817315] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.817808] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.818276] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.818730] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.819169] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.819600] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.820041] BUG: Bad page map in process gunicorn: worke pte:5368637845736d20 pmd:76cbb067 [ 9.820483] addr:0000000003612000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3612 [ 9.821351] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.821812] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.822753] 0000000000000000 ffffffff8151fda4 0000000003612000 ffff8800753700d0 [ 9.823256] ffffffff8116f380 ffffffff8116f380 ffff880076cbb090 5368637845736d20 [ 9.823761] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003612000 [ 9.824273] Call Trace: [ 9.824779] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.825296] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.825822] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.826332] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.826830] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.827319] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.827809] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.828271] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.828720] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.829152] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.829573] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.829987] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.830398] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.830835] BUG: Bad page map in process gunicorn: worke pte:7461745370757465 pmd:76cbb067 [ 9.831272] addr:0000000003613000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3613 [ 9.832127] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.832583] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.833516] 0000000000000000 ffffffff8151fda4 0000000003613000 ffff8800753700d0 [ 9.834039] ffffffff8116f380 ffffffff8116f380 ffff880076cbb098 7461745370757465 [ 9.834545] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003613000 [ 9.835058] Call Trace: [ 9.835567] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.836083] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.836607] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.837117] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.837635] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.838123] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.838597] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.839059] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.839507] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.839940] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.840361] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.840781] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.841193] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.841615] BUG: Bad page map in process gunicorn: worke pte:45736d2024207375 pmd:76cbb067 [ 9.842036] addr:0000000003614000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3614 [ 9.842890] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.843348] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.844285] 0000000000000000 ffffffff8151fda4 0000000003614000 ffff8800753700d0 [ 9.844790] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0a0 45736d2024207375 [ 9.845296] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003614000 [ 9.845808] Call Trace: [ 9.846314] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.846831] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.847348] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.847877] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.848375] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.848864] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.849338] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.849800] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.850249] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.850688] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.851109] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.851523] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.851935] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.852355] BUG: Bad page map in process gunicorn: worke pte:736e617254686378 pmd:76cbb067 [ 9.852775] addr:0000000003615000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3615 [ 9.853628] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.854083] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.855025] 0000000000000000 ffffffff8151fda4 0000000003615000 ffff8800753700d0 [ 9.855526] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0a8 736e617254686378 [ 9.856031] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003615000 [ 9.856544] Call Trace: [ 9.857049] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.857580] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.858098] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.858608] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.859141] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.859665] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.860185] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.860681] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.861131] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.861660] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.862108] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.862597] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.863072] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.863499] BUG: Bad page map in process gunicorn: worke pte:6f626e4974726f70 pmd:76cbb067 [ 9.863920] addr:0000000003616000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3616 [ 9.864776] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.865233] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.866176] 0000000000000000 ffffffff8151fda4 0000000003616000 ffff8800753700d0 [ 9.866679] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0b0 6f626e4974726f70 [ 9.867185] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003616000 [ 9.867721] Call Trace: [ 9.868228] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.868745] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.869262] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.869772] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.870271] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.870766] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.871240] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.871703] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.872152] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.872608] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.873047] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.873462] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.873879] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.874301] BUG: Bad page map in process gunicorn: worke pte:6974746553646e75 pmd:76cbb067 [ 9.874721] addr:0000000003617000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3617 [ 9.875593] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.876049] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.876983] 0000000000000000 ffffffff8151fda4 0000000003617000 ffff8800753700d0 [ 9.877483] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0b8 6974746553646e75 [ 9.878001] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003617000 [ 9.878514] Call Trace: [ 9.879019] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.879538] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.880055] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.880565] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.881068] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.881557] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.882031] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.882493] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.882946] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.883379] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.883805] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.884219] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.884630] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.885050] BUG: Bad page map in process gunicorn: worke pte:736d20242073676e pmd:76cbb067 [ 9.885470] addr:0000000003618000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3618 [ 9.886324] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.886779] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.887733] 0000000000000000 ffffffff8151fda4 0000000003618000 ffff8800753700d0 [ 9.888232] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0c0 736d20242073676e [ 9.888738] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003618000 [ 9.889250] Call Trace: [ 9.889755] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.890272] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.890795] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.891306] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.891804] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.892294] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.892769] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.893232] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.893687] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.894120] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.894542] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.894957] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.895368] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.895789] BUG: Bad page map in process gunicorn: worke pte:624f4c4168637845 pmd:76cbb067 [ 9.896208] addr:0000000003619000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3619 [ 9.897063] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.897519] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.898467] 0000000000000000 ffffffff8151fda4 0000000003619000 ffff8800753700d0 [ 9.898967] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0c8 624f4c4168637845 [ 9.899476] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003619000 [ 9.899989] Call Trace: [ 9.900495] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.901018] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.901536] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.902048] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.902548] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.903038] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.903513] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.903983] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.904432] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.904866] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.905288] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.905704] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.906115] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.906535] BUG: Bad page map in process gunicorn: worke pte:737265567463656a pmd:76cbb067 [ 9.906954] addr:000000000361a000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:361a [ 9.907851] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.908309] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.909245] 0000000000000000 ffffffff8151fda4 000000000361a000 ffff8800753700d0 [ 9.909745] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0d0 737265567463656a [ 9.910250] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000361a000 [ 9.910769] Call Trace: [ 9.911275] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.911793] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.912310] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.912819] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.913318] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.913812] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.914286] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.914748] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.915197] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.915631] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.916052] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.916467] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.916883] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.917304] BUG: Bad page map in process gunicorn: worke pte:65722024206e6f69 pmd:76cbb067 [ 9.917739] addr:000000000361b000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:361b [ 9.918592] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.919046] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.919983] 0000000000000000 ffffffff8151fda4 000000000361b000 ffff8800753700d0 [ 9.920483] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0d8 65722024206e6f69 [ 9.920993] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000361b000 [ 9.921505] Call Trace: [ 9.922011] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.922527] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.923044] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.923554] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.924062] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.924551] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.925025] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.925524] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.925974] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.926406] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.926827] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.927241] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.927667] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.928087] swap_free: Bad swap file entry 1a0025a2e7a725a4 [ 9.928492] BUG: Bad page map in process gunicorn: worke pte:6f69746163696c70 pmd:76cbb067 [ 9.928912] addr:000000000361c000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:361c [ 9.929780] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.930238] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.931186] 0000000000000000 ffffffff8151fda4 000000000361c000 ffff8800753700d0 [ 9.931692] ffffffff8116f380 000000000000000d ffff880076cbb0e0 6f69746163696c70 [ 9.932204] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000361c000 [ 9.932721] Call Trace: [ 9.933231] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.933755] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.934300] [<ffffffff811707a2>] ? unmap_single_vma+0x4c2/0x830 [ 9.934833] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.935339] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.935822] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.936294] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.936758] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.937200] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.937644] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.938071] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.938519] BUG: Bad page map in process gunicorn: worke pte:7574616e6769536e pmd:76cbb067 [ 9.938952] addr:000000000361d000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:361d [ 9.939843] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.940311] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.941268] 0000000000000000 ffffffff8151fda4 000000000361d000 ffff8800753700d0 [ 9.941777] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0e8 7574616e6769536e [ 9.942293] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000361d000 [ 9.942822] Call Trace: [ 9.943341] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.943869] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.944415] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.944938] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.945459] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.945984] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.946490] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.946984] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.947463] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.947949] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.948404] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.948843] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.949274] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.949718] BUG: Bad page map in process gunicorn: worke pte:45736d2024206572 pmd:76cbb067 [ 9.950158] addr:000000000361e000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:361e [ 9.951028] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.951507] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.952445] 0000000000000000 ffffffff8151fda4 000000000361e000 ffff8800753700d0 [ 9.952946] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0f0 45736d2024206572 [ 9.953453] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000361e000 [ 9.953972] Call Trace: [ 9.954479] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.954997] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.955515] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.956026] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.956526] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.957021] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.957496] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.957972] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.958421] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.958855] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.959277] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.959692] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.960103] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.960525] BUG: Bad page map in process gunicorn: worke pte:7973726944686378 pmd:76cbb067 [ 9.960945] addr:000000000361f000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:361f [ 9.961798] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.962253] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.963196] 0000000000000000 ffffffff8151fda4 000000000361f000 ffff8800753700d0 [ 9.963697] ffffffff8116f380 ffffffff8116f380 ffff880076cbb0f8 7973726944686378 [ 9.964203] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000361f000 [ 9.964716] Call Trace: [ 9.965221] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.965744] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.966262] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.966772] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.967270] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.967773] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.968247] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.968710] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.969159] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.969593] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.970014] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.970430] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.970848] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.971269] BUG: Bad page map in process gunicorn: worke pte:726f68747541636e pmd:76cbb067 [ 9.971706] addr:0000000003620000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3620 [ 9.972562] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.973018] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.973955] 0000000000000000 ffffffff8151fda4 0000000003620000 ffff8800753700d0 [ 9.974456] ffffffff8116f380 ffffffff8116f380 ffff880076cbb100 726f68747541636e [ 9.974967] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003620000 [ 9.975481] Call Trace: [ 9.975987] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.976504] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.977021] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.977532] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.978045] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.978534] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.979009] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.979472] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.979922] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.980355] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.980783] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.981198] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.981609] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.982030] BUG: Bad page map in process gunicorn: worke pte:646174654d797469 pmd:76cbb067 [ 9.982450] addr:0000000003621000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3621 [ 9.983304] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.983762] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.984701] 0000000000000000 ffffffff8151fda4 0000000003621000 ffff8800753700d0 [ 9.985200] ffffffff8116f380 ffffffff8116f380 ffff880076cbb108 646174654d797469 [ 9.985705] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003621000 [ 9.986218] Call Trace: [ 9.986723] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.987239] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.987773] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.988284] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.988782] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 9.989271] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 9.989746] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 9.990208] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 9.990658] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 9.991096] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 9.991517] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 9.991933] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 9.992344] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 9.992765] BUG: Bad page map in process gunicorn: worke pte:736d202420617461 pmd:76cbb067 [ 9.993184] addr:0000000003622000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3622 [ 9.994039] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 9.994495] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 9.995433] 0000000000000000 ffffffff8151fda4 0000000003622000 ffff8800753700d0 [ 9.995941] ffffffff8116f380 ffffffff8116f380 ffff880076cbb110 736d202420617461 [ 9.996447] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003622000 [ 9.996961] Call Trace: [ 9.997466] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 9.997997] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.998514] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 9.999024] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 9.999523] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.000012] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.000488] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.000959] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.001410] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.001845] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.002268] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.002684] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.003096] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.003517] BUG: Bad page map in process gunicorn: worke pte:6166654468637845 pmd:76cbb067 [ 10.003936] addr:0000000003623000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3623 [ 10.004792] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.005249] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.006191] 0000000000000000 ffffffff8151fda4 0000000003623000 ffff8800753700d0 [ 10.006692] ffffffff8116f380 ffffffff8116f380 ffff880076cbb118 6166654468637845 [ 10.007199] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003623000 [ 10.007728] Call Trace: [ 10.008235] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.008753] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.009272] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.009784] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.010284] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.010784] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.011259] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.011723] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.012173] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.012607] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.013029] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.013449] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.013867] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.014287] BUG: Bad page map in process gunicorn: worke pte:696c627550746c75 pmd:76cbb067 [ 10.014706] addr:0000000003624000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3624 [ 10.015660] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.016167] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.017131] 0000000000000000 ffffffff8151fda4 0000000003624000 ffff8800753700d0 [ 10.017631] ffffffff8116f380 ffffffff8116f380 ffff880076cbb120 696c627550746c75 [ 10.018152] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003624000 [ 10.018665] Call Trace: [ 10.019170] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.019689] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.020206] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.020722] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.021220] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.021708] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.022182] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.022644] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.023092] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.023525] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.023951] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.024365] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.024775] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.025199] BUG: Bad page map in process gunicorn: worke pte:4d7265646c6f4663 pmd:76cbb067 [ 10.025617] addr:0000000003625000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3625 [ 10.026508] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.026963] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.028333] 0000000000000000 ffffffff8151fda4 0000000003625000 ffff8800753700d0 [ 10.028844] ffffffff8116f380 ffffffff8116f380 ffff880076cbb128 4d7265646c6f4663 [ 10.029348] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003625000 [ 10.029861] Call Trace: [ 10.030368] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.030885] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.031403] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.031919] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.032418] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.032908] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.033382] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.033844] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.034293] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.034732] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.035153] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.035569] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.035986] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.036412] BUG: Bad page map in process gunicorn: worke pte:2420786f626c6961 pmd:76cbb067 [ 10.036832] addr:0000000003626000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3626 [ 10.037688] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.038152] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.039088] 0000000000000000 ffffffff8151fda4 0000000003626000 ffff8800753700d0 [ 10.039590] ffffffff8116f380 ffffffff8116f380 ffff880076cbb130 2420786f626c6961 [ 10.040097] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003626000 [ 10.040620] Call Trace: [ 10.041126] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.041643] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.042161] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.042671] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.043176] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.043665] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.044139] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.044602] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.045051] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.045484] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.045912] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.046327] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.046738] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.047160] BUG: Bad page map in process gunicorn: worke pte:4568637845736d20 pmd:76cbb067 [ 10.047594] addr:0000000003627000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3627 [ 10.048457] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.048912] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.049845] 0000000000000000 ffffffff8151fda4 0000000003627000 ffff8800753700d0 [ 10.050344] ffffffff8116f380 ffffffff8116f380 ffff880076cbb138 4568637845736d20 [ 10.050855] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003627000 [ 10.051367] Call Trace: [ 10.051876] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.052392] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.052909] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.053419] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.053923] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.054412] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.054886] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.055348] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.055797] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.056229] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.056650] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.057071] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.057482] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.057922] BUG: Bad page map in process gunicorn: worke pte:656c62616e457377 pmd:76cbb067 [ 10.058343] addr:0000000003628000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3628 [ 10.059197] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.059655] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.060589] 0000000000000000 ffffffff8151fda4 0000000003628000 ffff8800753700d0 [ 10.061094] ffffffff8116f380 ffffffff8116f380 ffff880076cbb140 656c62616e457377 [ 10.061600] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003628000 [ 10.062113] Call Trace: [ 10.062619] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.063135] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.063653] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.064169] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.064668] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.065157] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.065631] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.066094] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.066544] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.066983] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.067404] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.067837] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.068248] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.068669] swap_free: Bad swap file entry 1a00e3e6a377f6f7 [ 10.069073] BUG: Bad page map in process gunicorn: worke pte:6c70657220242064 pmd:76cbb067 [ 10.069493] addr:0000000003629000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3629 [ 10.070362] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.070826] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.071773] 0000000000000000 ffffffff8151fda4 0000000003629000 ffff8800753700d0 [ 10.072276] ffffffff8116f380 000000000000000d ffff880076cbb148 6c70657220242064 [ 10.072790] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003629000 [ 10.073308] Call Trace: [ 10.073825] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.074345] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.074866] [<ffffffff811707a2>] ? unmap_single_vma+0x4c2/0x830 [ 10.075378] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.075876] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.076361] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.076842] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.077301] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.077761] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.078193] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.078623] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.079064] BUG: Bad page map in process gunicorn: worke pte:624f646574616369 pmd:76cbb067 [ 10.079514] addr:000000000362a000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:362a [ 10.080385] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.080851] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.081815] 0000000000000000 ffffffff8151fda4 000000000362a000 ffff8800753700d0 [ 10.082324] ffffffff8116f380 ffffffff8116f380 ffff880076cbb150 624f646574616369 [ 10.082840] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000362a000 [ 10.083362] Call Trace: [ 10.083881] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.084408] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.084943] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.085464] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.085985] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.086504] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.087009] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.087503] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.087992] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.088459] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.088915] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.089355] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.089786] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.090228] BUG: Bad page map in process gunicorn: worke pte:737265567463656a pmd:76cbb067 [ 10.090667] addr:000000000362b000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:362b [ 10.091555] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.092013] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.092949] 0000000000000000 ffffffff8151fda4 000000000362b000 ffff8800753700d0 [ 10.093448] ffffffff8116f380 ffffffff8116f380 ffff880076cbb158 737265567463656a [ 10.093959] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000362b000 [ 10.094472] Call Trace: [ 10.094978] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.095497] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.096015] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.096525] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.097030] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.097520] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.098010] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.098474] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.098923] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.099356] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.099778] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.100194] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.100606] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.101031] BUG: Bad page map in process gunicorn: worke pte:736d2024206e6f69 pmd:76cbb067 [ 10.101450] addr:000000000362c000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:362c [ 10.102307] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.102764] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.103702] 0000000000000000 ffffffff8151fda4 000000000362c000 ffff8800753700d0 [ 10.104208] ffffffff8116f380 ffffffff8116f380 ffff880076cbb160 736d2024206e6f69 [ 10.104714] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000362c000 [ 10.105227] Call Trace: [ 10.105733] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.106251] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.106775] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.107286] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.107803] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.108306] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.108781] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.109244] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.109693] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.110127] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.110549] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.110969] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.111381] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.111802] BUG: Bad page map in process gunicorn: worke pte:6461685368637845 pmd:76cbb067 [ 10.112219] addr:000000000362d000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:362d [ 10.113073] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.113529] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.114464] 0000000000000000 ffffffff8151fda4 000000000362d000 ffff8800753700d0 [ 10.114969] ffffffff8116f380 ffffffff8116f380 ffff880076cbb168 6461685368637845 [ 10.115478] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000362d000 [ 10.115992] Call Trace: [ 10.116499] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.117016] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.117534] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.118057] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.118556] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.119046] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.119521] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.119984] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.120433] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.120873] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.121295] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.121711] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.122123] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.122544] BUG: Bad page map in process gunicorn: worke pte:48726568744f776f pmd:76cbb067 [ 10.122962] addr:000000000362e000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:362e [ 10.123836] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.124293] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.125231] 0000000000000000 ffffffff8151fda4 000000000362e000 ffff8800753700d0 [ 10.125731] ffffffff8116f380 ffffffff8116f380 ffff880076cbb170 48726568744f776f [ 10.126237] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000362e000 [ 10.126750] Call Trace: [ 10.127260] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.127796] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.128314] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.128824] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.129322] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.129811] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.130285] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.130747] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.131201] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.131634] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.132056] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.132470] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.132881] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.133303] BUG: Bad page map in process gunicorn: worke pte:656e6f6850656d6f pmd:76cbb067 [ 10.133722] addr:000000000362f000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:362f [ 10.134574] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.135029] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.135970] 0000000000000000 ffffffff8151fda4 000000000362f000 ffff8800753700d0 [ 10.136476] ffffffff8116f380 ffffffff8116f380 ffff880076cbb178 656e6f6850656d6f [ 10.136981] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000362f000 [ 10.137493] Call Trace: [ 10.138013] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.138530] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.139053] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.139562] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.140060] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.140549] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.141036] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.141498] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.141947] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.142379] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.142800] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.143215] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.143627] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.144054] swap_free: Bad swap file entry 1c0166a4a462b7f6 [ 10.144459] BUG: Bad page map in process gunicorn: worke pte:72656d6e75202420 pmd:76cbb067 [ 10.144881] addr:0000000003630000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3630 [ 10.145752] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.146212] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.147167] 0000000000000000 ffffffff8151fda4 0000000003630000 ffff8800753700d0 [ 10.147674] ffffffff8116f380 000000000000000e ffff880076cbb180 72656d6e75202420 [ 10.148201] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003630000 [ 10.148718] Call Trace: [ 10.149229] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.149749] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.150270] [<ffffffff811707a2>] ? unmap_single_vma+0x4c2/0x830 [ 10.150783] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.151286] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.151771] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.152245] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.152704] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.153214] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.153654] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.154083] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.154531] BUG: Bad page map in process gunicorn: worke pte:2073747441646567 pmd:76cbb067 [ 10.154963] addr:0000000003631000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3631 [ 10.155854] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.156323] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.157280] 0000000000000000 ffffffff8151fda4 0000000003631000 ffff8800753700d0 [ 10.157789] ffffffff8116f380 ffffffff8116f380 ffff880076cbb188 2073747441646567 [ 10.158322] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003631000 [ 10.158851] Call Trace: [ 10.159368] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.159897] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.160427] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.160954] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.161488] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.162006] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.162511] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.163010] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.163488] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.163966] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.164429] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.164869] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.165300] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.165742] swap_free: Bad swap file entry 1a01e721eea324b7 [ 10.166165] BUG: Bad page map in process gunicorn: worke pte:68637845736d2024 pmd:76cbb067 [ 10.166602] addr:0000000003632000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3632 [ 10.167475] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.167994] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.169003] 0000000000000000 ffffffff8151fda4 0000000003632000 ffff8800753700d0 [ 10.169514] ffffffff8116f380 000000000000000d ffff880076cbb190 68637845736d2024 [ 10.170027] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003632000 [ 10.170545] Call Trace: [ 10.171056] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.171585] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.172106] [<ffffffff811707a2>] ? unmap_single_vma+0x4c2/0x830 [ 10.172618] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.173116] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.173601] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.174074] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.174534] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.174978] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.175410] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.175839] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.176281] BUG: Bad page map in process gunicorn: worke pte:6f437463656a624f pmd:76cbb067 [ 10.176714] addr:0000000003633000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3633 [ 10.177592] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.178075] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.179038] 0000000000000000 ffffffff8151fda4 0000000003633000 ffff8800753700d0 [ 10.179555] ffffffff8116f380 ffffffff8116f380 ffff880076cbb198 6f437463656a624f [ 10.180071] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003633000 [ 10.180594] Call Trace: [ 10.181118] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.181645] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.182174] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.182697] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.183224] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.183743] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.184259] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.184753] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.185232] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.185700] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.186154] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.186594] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.187030] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.187471] BUG: Bad page map in process gunicorn: worke pte:61746f7551746e75 pmd:76cbb067 [ 10.187935] addr:0000000003634000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3634 [ 10.188804] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.189261] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.190202] 0000000000000000 ffffffff8151fda4 0000000003634000 ffff8800753700d0 [ 10.190702] ffffffff8116f380 ffffffff8116f380 ffff880076cbb1a0 61746f7551746e75 [ 10.191213] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003634000 [ 10.191729] Call Trace: [ 10.192235] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.192752] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.193269] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.193785] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.194290] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.194780] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.195261] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.195724] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.196173] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.196606] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.197036] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.197451] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.197876] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.198296] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.198701] BUG: Bad page map in process gunicorn: worke pte:637845736d202420 pmd:76cbb067 [ 10.199125] addr:0000000003635000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3635 [ 10.200016] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.200476] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.201418] 0000000000000000 ffffffff8151fda4 0000000003635000 ffff8800753700d0 [ 10.201921] ffffffff8116f380 000000000000000c ffff880076cbb1a8 637845736d202420 [ 10.202432] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003635000 [ 10.202959] Call Trace: [ 10.203468] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.203990] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.204515] [<ffffffff811707a2>] ? unmap_single_vma+0x4c2/0x830 [ 10.205026] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.205524] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.206013] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.206486] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.206944] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.207387] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.207818] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.208267] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.208708] BUG: Bad page map in process gunicorn: worke pte:54776f6461685368 pmd:76cbb067 [ 10.209143] addr:0000000003636000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3636 [ 10.210014] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.210481] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.211445] 0000000000000000 ffffffff8151fda4 0000000003636000 ffff8800753700d0 [ 10.211957] ffffffff8116f380 ffffffff8116f380 ffff880076cbb1b0 54776f6461685368 [ 10.212473] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003636000 [ 10.212996] Call Trace: [ 10.213519] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.214155] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.214686] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.215209] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.215763] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.216310] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.216824] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.217318] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.217804] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.218287] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.218743] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.219183] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.219615] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.220066] BUG: Bad page map in process gunicorn: worke pte:6d202420656c7469 pmd:76cbb067 [ 10.220507] addr:0000000003637000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3637 [ 10.221377] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.221842] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.222778] 0000000000000000 ffffffff8151fda4 0000000003637000 ffff8800753700d0 [ 10.223284] ffffffff8116f380 ffffffff8116f380 ffff880076cbb1b8 6d202420656c7469 [ 10.223792] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003637000 [ 10.224306] Call Trace: [ 10.224813] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.225344] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.225868] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.226379] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.226878] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.227373] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.227860] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.228325] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.228775] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.229209] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.229630] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.230046] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.230463] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.230891] BUG: Bad page map in process gunicorn: worke pte:6168536863784573 pmd:76cbb067 [ 10.231312] addr:0000000003638000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3638 [ 10.232198] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.232657] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.233596] 0000000000000000 ffffffff8151fda4 0000000003638000 ffff8800753700d0 [ 10.234096] ffffffff8116f380 ffffffff8116f380 ffff880076cbb1c0 6168536863784573 [ 10.234602] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003638000 [ 10.235121] Call Trace: [ 10.235629] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.236146] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.236664] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.237174] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.237679] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.238177] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.238652] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.239114] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.239564] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.240002] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.240424] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.240839] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.241256] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.241683] BUG: Bad page map in process gunicorn: worke pte:6c69626f4d776f64 pmd:76cbb067 [ 10.242103] addr:0000000003639000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:3639 [ 10.242957] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.243413] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.244356] 0000000000000000 ffffffff8151fda4 0000000003639000 ffff8800753700d0 [ 10.244855] ffffffff8116f380 ffffffff8116f380 ffff880076cbb1c8 6c69626f4d776f64 [ 10.245361] 0000000000000000 000000000373f000 ffff88006f837dd0 0000000003639000 [ 10.245874] Call Trace: [ 10.246380] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.246902] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.247420] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.247944] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.248443] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.248932] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.249406] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.249869] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.250319] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.250752] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.251179] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.251595] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.252007] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.252427] BUG: Bad page map in process gunicorn: worke pte:7845736d20242065 pmd:76cbb067 [ 10.252845] addr:000000000363a000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:363a [ 10.253701] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.254157] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.255099] 0000000000000000 ffffffff8151fda4 000000000363a000 ffff8800753700d0 [ 10.255601] ffffffff8116f380 ffffffff8116f380 ffff880076cbb1d0 7845736d20242065 [ 10.256107] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000363a000 [ 10.256620] Call Trace: [ 10.257126] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.257642] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.258174] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.258685] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.259184] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.259673] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.260147] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.260610] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.261065] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.261498] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.261920] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.262334] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.262745] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.263164] BUG: Bad page map in process gunicorn: worke pte:533450414d496863 pmd:76cbb067 [ 10.263599] addr:000000000363b000 vm_flags:08100073 anon_vma:ffff88007538c470 mapping: (null) index:363b [ 10.264453] CPU: 1 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.264909] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.265843] 0000000000000000 ffffffff8151fda4 000000000363b000 ffff8800753700d0 [ 10.266348] ffffffff8116f380 ffffffff8116f380 ffff880076cbb1d8 533450414d496863 [ 10.266853] 0000000000000000 000000000373f000 ffff88006f837dd0 000000000363b000 [ 10.267365] Call Trace: [ 10.267873] [<ffffffff8151fda4>] ? dump_stack+0x5d/0x78 [ 10.268401] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.268919] [<ffffffff8116f380>] ? print_bad_pte+0x1b0/0x280 [ 10.269428] [<ffffffff811702a7>] ? vm_normal_page+0x87/0xc0 [ 10.269927] [<ffffffff81170820>] ? unmap_single_vma+0x540/0x830 [ 10.270417] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.270897] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.271359] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.271809] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.272242] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.272663] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.273078] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.273490] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.273915] swap_free: Bad swap file entry 1a01e721eea324b7 [ 10.274322] swap_free: Bad swap file entry 1a01e721eea324b7 [ 10.274717] swap_free: Bad swap file entry 1a01e721eea324b7 [ 10.275112] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.275504] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.275910] swap_free: Bad swap file entry 801f6f7e32627a4 [ 10.276295] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.276676] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.277050] swap_free: Bad swap file entry 1a0023e32467a36a [ 10.277422] swap_free: Bad swap file entry 1c00a42762e2ac22 [ 10.277791] swap_free: Bad swap file entry 1a0065a2e2e6ab26 [ 10.278174] swap_free: Bad swap file entry 1a01e721eea324b7 [ 10.278537] swap_free: Bad swap file entry 1a01e721eea324b7 [ 10.278892] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.279233] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.279556] swap_free: Bad swap file entry 1a01e721eea324b7 [ 10.279885] swap_free: Bad swap file entry 1a01e721eea324b7 [ 10.280177] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.280452] swap_free: Bad swap file entry 1e01eea324b7f6f7 [ 10.280709] swap_free: Bad swap file entry 1000a324b7f6f7e2 [ 10.280951] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.281184] swap_free: Bad swap file entry 1e01eea324b7f6f7 [ 10.281407] swap_free: Bad swap file entry 1a00a2ac66a46425 [ 10.281619] swap_free: Bad swap file entry 1c0126a32326a366 [ 10.281824] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.282030] swap_free: Bad swap file entry 180121eea324b7f6 [ 10.282231] swap_free: Bad swap file entry 18012461a32365ae [ 10.282428] swap_free: Bad swap offset entry 1defef5b5b7e2 [ 10.282623] swap_free: Bad swap file entry c0133b3b473f2f1 [ 10.282818] swap_free: Bad swap file entry 1000acafac77f332 [ 10.283012] swap_free: Bad swap file entry 1801a2e4242777f5 [ 10.283202] swap_free: Bad swap file entry 180125a266aee6a4 [ 10.283391] swap_free: Bad swap file entry 1c0162a726ab26a4 [ 10.283576] swap_free: Bad swap file entry 1800a6a6a5b7f6f7 [ 10.283779] swap_free: Bad swap file entry 180125a266aef373 [ 10.283960] swap_free: Bad swap file entry 14012ee324b7f6f7 [ 10.284135] swap_free: Bad swap file entry 10012aeb6324b7f6 [ 10.284301] swap_free: Bad swap file entry 1800ab26a325a363 [ 10.284470] swap_free: Bad swap file entry 10012aeb6324b7f6 [ 10.285057] stack segment: 0000 [#2] SMP [ 10.285249] Modules linked in: binfmt_misc ip6table_filter ip6_tables ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 xt_comment xt_multiport xt_conntrack nf_conntrack iptable_filter ip_tables x_tables crc32_pclmul crc32c_intel aesni_intel aes_x86_64 glue_helper lrw vmw_vsock_vmci_transport vsock gf128mul vmw_balloon ppdev evdev ablk_helper cryptd pcspkr serio_raw vmwgfx drm_kms_helper ttm ac processor battery button parport_pc thermal_sys drm parport shpchp vmw_vmci autofs4 ext4 crc16 mbcache jbd2 dm_mod sg sr_mod cdrom sd_mod crc_t10dif crct10dif_generic ata_generic crct10dif_pclmul crct10dif_common psmouse vmxnet3 ata_piix mptspi scsi_transport_spi mptscsih libata i2c_piix4 mptbase scsi_mod i2c_core [ 10.287519] CPU: 2 PID: 717 Comm: gunicorn: worke Tainted: G B D 3.16.59+ #18 [ 10.287874] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 [ 10.288623] task: ffff88007835e090 ti: ffff88006f834000 task.ti: ffff88006f834000 [ 10.289024] RIP: 0010:[<ffffffff81184f8c>] [<ffffffff81184f8c>] free_pages_and_swap_cache+0x5c/0xc0 [ 10.289870] RSP: 0018:ffff88006f837c60 EFLAGS: 00010282 [ 10.290311] RAX: 000000000000000d RBX: ffff880076d1a010 RCX: 0000000000000000 [ 10.290768] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88007fd12140 [ 10.291235] RBP: 7265726576696c65 R08: 0000000000000001 R09: 0000000000016ef8 [ 10.291702] R10: 0000000000000004 R11: ffffffff8172a2cb R12: ffff880076d1a080 [ 10.292179] R13: ffff880076d1a010 R14: 000000000000000e R15: 0000000068637845 [ 10.292665] FS: 00007fb4c0ffe700(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000 [ 10.293167] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 10.293687] CR2: 00007f97a8265050 CR3: 000000007ade2000 CR4: 0000000000360770 [ 10.294263] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 10.294793] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 10.295316] Stack: [ 10.295839] ffff880076d1a000 ffff88006f837df8 ffff88006f837dd0 00007fb4bbc00000 [ 10.296393] ffff88006f837dd0 00007fb4bbb9a000 ffffffff8116f05c ffffffffffffffff [ 10.296961] ffffea000179f040 0000000000000000 ffffffff8117092a ffff8800783cd080 [ 10.297531] Call Trace: [ 10.298111] [<ffffffff8116f05c>] ? tlb_flush_mmu_free+0x2c/0x50 [ 10.298694] [<ffffffff8117092a>] ? unmap_single_vma+0x64a/0x830 [ 10.299280] [<ffffffff81171c6c>] ? unmap_vmas+0x4c/0xa0 [ 10.299869] [<ffffffff8117ad62>] ? exit_mmap+0x92/0x160 [ 10.300460] [<ffffffff81069b4c>] ? mmput+0x5c/0x120 [ 10.301060] [<ffffffff8106f033>] ? do_exit+0x333/0xae0 [ 10.301648] [<ffffffff8151e706>] ? printk+0x4f/0x57 [ 10.302226] [<ffffffff81017697>] ? oops_end+0x97/0xe0 [ 10.302786] [<ffffffff8105b896>] ? __do_page_fault+0x376/0x470 [ 10.303333] [<ffffffff81527f08>] ? page_fault+0x28/0x30 [ 10.303863] Code: 00 45 0f 4e f7 45 85 f6 7e 55 41 8d 46 ff 4c 89 eb 4c 8d 24 c5 08 00 00 00 4d 01 ec eb 0a 90 48 83 c3 08 4c 39 e3 74 37 48 8b 2b <48> 8b 45 00 a9 00 00 01 00 74 e9 8b 45 18 85 c0 79 e2 f0 0f ba [ 10.305611] RIP [<ffffffff81184f8c>] free_pages_and_swap_cache+0x5c/0xc0 [ 10.306580] RSP <ffff88006f837c60> [ 10.307535] ---[ end trace f863ea854df6c9a6 ]--- [ 10.308180] Fixing recursive fault but reboot is needed!
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Maciej W. Rozycki" macro@mips.com
commit 71e909c0cdad28a1df1fa14442929e68615dee45 upstream.
Correct commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") and expose the FIR register using the unused 4 bytes at the end of the NT_PRFPREG regset. Without that register included clients cannot use the PTRACE_GETREGSET request to retrieve the complete FPU register set and have to resort to one of the older interfaces, either PTRACE_PEEKUSR or PTRACE_GETFPREGS, to retrieve the missing piece of data. Also the register is irreversibly missing from core dumps.
This register is architecturally hardwired and read-only so the write path does not matter. Ignore data supplied on writes then.
Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") Signed-off-by: James Hogan jhogan@kernel.org Signed-off-by: Maciej W. Rozycki macro@mips.com Cc: Ralf Baechle ralf@linux-mips.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/19273/ Signed-off-by: James Hogan jhogan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/kernel/ptrace.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-)
--- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -481,7 +481,7 @@ static int fpr_get_msa(struct task_struc /* * Copy the floating-point context to the supplied NT_PRFPREG buffer. * Choose the appropriate helper for general registers, and then copy - * the FCSR register separately. + * the FCSR and FIR registers separately. */ static int fpr_get(struct task_struct *target, const struct user_regset *regset, @@ -489,6 +489,7 @@ static int fpr_get(struct task_struct *t void *kbuf, void __user *ubuf) { const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); + const int fir_pos = fcr31_pos + sizeof(u32); int err;
if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t)) @@ -501,6 +502,12 @@ static int fpr_get(struct task_struct *t err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, &target->thread.fpu.fcr31, fcr31_pos, fcr31_pos + sizeof(u32)); + if (err) + return err; + + err = user_regset_copyout(&pos, &count, &kbuf, &ubuf, + &boot_cpu_data.fpu_id, + fir_pos, fir_pos + sizeof(u32));
return err; } @@ -549,7 +556,8 @@ static int fpr_set_msa(struct task_struc /* * Copy the supplied NT_PRFPREG buffer to the floating-point context. * Choose the appropriate helper for general registers, and then copy - * the FCSR register separately. + * the FCSR register separately. Ignore the incoming FIR register + * contents though, as the register is read-only. * * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0', * which is supposed to have been guaranteed by the kernel before @@ -563,6 +571,7 @@ static int fpr_set(struct task_struct *t const void *kbuf, const void __user *ubuf) { const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t); + const int fir_pos = fcr31_pos + sizeof(u32); u32 fcr31; int err;
@@ -590,6 +599,11 @@ static int fpr_set(struct task_struct *t ptrace_setfcr31(target, fcr31); }
+ if (count > 0) + err = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, + fir_pos, + fir_pos + sizeof(u32)); + return err; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Rosin peda@axentia.se
commit de9a8634f1cb4560a35696d472cc7f1383d9b866 upstream.
Returning zero is wrong in this case.
Signed-off-by: Peter Rosin peda@axentia.se Signed-off-by: Wolfram Sang wsa@the-dreams.de Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/i2c/busses/i2c-pmcmsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-pmcmsp.c +++ b/drivers/i2c/busses/i2c-pmcmsp.c @@ -599,7 +599,7 @@ static int pmcmsptwi_master_xfer(struct return -1; }
- return 0; + return num; }
static u32 pmcmsptwi_i2c_func(struct i2c_adapter *adapter)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Kirill A. Shutemov" kirill.shutemov@linux.intel.com
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed IPC ID as long as a memory segment is mapped. It breaks expectations of IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated by syzkaller[1]):
#define _GNU_SOURCE #include <stdlib.h> #include <sys/ipc.h> #include <sys/mman.h> #include <sys/shm.h>
#define PAGE_SIZE 4096
int main() { int id; void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0); p = shmat(id, NULL, 0); shmctl(id, IPC_RMID, NULL); remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0; }
The patch changes shm_mmap() and code around shm_lock() to propagate locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov kirill.shutemov@linux.intel.com Reported-by: Dmitry Vyukov dvyukov@google.com Cc: Davidlohr Bueso dave@stgolabs.net Cc: Manfred Spraul manfred@colorfullife.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- ipc/shm.c | 53 +++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 43 insertions(+), 10 deletions(-)
--- a/ipc/shm.c +++ b/ipc/shm.c @@ -156,11 +156,12 @@ static inline struct shmid_kernel *shm_l struct kern_ipc_perm *ipcp = ipc_lock(&shm_ids(ns), id);
/* - * We raced in the idr lookup or with shm_destroy(). Either way, the - * ID is busted. + * Callers of shm_lock() must validate the status of the returned ipc + * object pointer (as returned by ipc_lock()), and error out as + * appropriate. */ - WARN_ON(IS_ERR(ipcp)); - + if (IS_ERR(ipcp)) + return (void *)ipcp; return container_of(ipcp, struct shmid_kernel, shm_perm); }
@@ -185,18 +186,33 @@ static inline void shm_rmid(struct ipc_n }
-/* This is called by fork, once for every shm attach. */ -static void shm_open(struct vm_area_struct *vma) +static int __shm_open(struct vm_area_struct *vma) { struct file *file = vma->vm_file; struct shm_file_data *sfd = shm_file_data(file); struct shmid_kernel *shp;
shp = shm_lock(sfd->ns, sfd->id); + + if (IS_ERR(shp)) + return PTR_ERR(shp); + shp->shm_atim = get_seconds(); shp->shm_lprid = task_tgid_vnr(current); shp->shm_nattch++; shm_unlock(shp); + return 0; +} + +/* This is called by fork, once for every shm attach. */ +static void shm_open(struct vm_area_struct *vma) +{ + int err = __shm_open(vma); + /* + * We raced in the idr lookup or with shm_destroy(). + * Either way, the ID is busted. + */ + WARN_ON_ONCE(err); }
/* @@ -258,6 +274,14 @@ static void shm_close(struct vm_area_str down_write(&shm_ids(ns).rwsem); /* remove from the list of attaches of the shm segment */ shp = shm_lock(ns, sfd->id); + + /* + * We raced in the idr lookup or with shm_destroy(). + * Either way, the ID is busted. + */ + if (WARN_ON_ONCE(IS_ERR(shp))) + goto done; /* no-op */ + shp->shm_lprid = task_tgid_vnr(current); shp->shm_dtim = get_seconds(); shp->shm_nattch--; @@ -265,6 +289,7 @@ static void shm_close(struct vm_area_str shm_destroy(ns, shp); else shm_unlock(shp); +done: up_write(&shm_ids(ns).rwsem); }
@@ -385,17 +410,25 @@ static int shm_mmap(struct file *file, s struct shm_file_data *sfd = shm_file_data(file); int ret;
+ /* + * In case of remap_file_pages() emulation, the file can represent + * removed IPC ID: propogate shm_lock() error to caller. + */ + ret =__shm_open(vma); + if (ret) + return ret; + ret = sfd->file->f_op->mmap(sfd->file, vma); - if (ret != 0) + if (ret) { + shm_close(vma); return ret; + } sfd->vm_ops = vma->vm_ops; #ifdef CONFIG_MMU WARN_ON(!sfd->vm_ops->fault); #endif vma->vm_ops = &shm_vm_ops; - shm_open(vma); - - return ret; + return 0; }
static int shm_release(struct inode *ino, struct file *file)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp
commit a466ef76b815b86748d9870ef2a430af7b39c710 upstream.
From ff82bedd3e12f0d3353282054ae48c3bd8c72012 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Date: Wed, 9 May 2018 12:12:39 +0900 Subject: [PATCH v3] x86/kexec: avoid double free_page() upon do_kexec_load() failure.
syzbot is reporting crashes after memory allocation failure inside do_kexec_load() [1]. This is because free_transition_pgtable() is called by both init_transition_pgtable() and machine_kexec_cleanup() when memory allocation failed inside init_transition_pgtable().
Regarding 32bit code, machine_kexec_free_page_tables() is called by both machine_kexec_alloc_page_tables() and machine_kexec_cleanup() when memory allocation failed inside machine_kexec_alloc_page_tables().
Fix this by leaving the error handling to machine_kexec_cleanup() (and optionally setting NULL after free_page()).
[1] https://syzkaller.appspot.com/bug?id=91e52396168cf2bdd572fe1e1bc0bc645c1c6b4...
Fixes: f5deb79679af6eb4 ("x86: kexec: Use one page table in x86_64 machine_kexec") Fixes: 92be3d6bdf2cb349 ("kexec/i386: allocate page table pages dynamically") Reported-by: syzbot syzbot+d96f60296ef613fe1d69@syzkaller.appspotmail.com Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Thomas Gleixner tglx@linutronix.de Acked-by: Baoquan He bhe@redhat.com Cc: thomas.lendacky@amd.com Cc: prudo@linux.vnet.ibm.com Cc: Huang Ying ying.huang@intel.com Cc: syzkaller-bugs@googlegroups.com Cc: takahiro.akashi@linaro.org Cc: H. Peter Anvin hpa@zytor.com Cc: akpm@linux-foundation.org Cc: dyoung@redhat.com Cc: kirill.shutemov@linux.intel.com Link: https://lkml.kernel.org/r/201805091942.DGG12448.tMFVFSJFQOOLHO@I-love.SAKURA... [bwh: Backported to 3.16: No need to handle a P4D] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/x86/kernel/machine_kexec_32.c +++ b/arch/x86/kernel/machine_kexec_32.c @@ -70,12 +70,17 @@ static void load_segments(void) static void machine_kexec_free_page_tables(struct kimage *image) { free_page((unsigned long)image->arch.pgd); + image->arch.pgd = NULL; #ifdef CONFIG_X86_PAE free_page((unsigned long)image->arch.pmd0); + image->arch.pmd0 = NULL; free_page((unsigned long)image->arch.pmd1); + image->arch.pmd1 = NULL; #endif free_page((unsigned long)image->arch.pte0); + image->arch.pte0 = NULL; free_page((unsigned long)image->arch.pte1); + image->arch.pte1 = NULL; }
static int machine_kexec_alloc_page_tables(struct kimage *image) @@ -92,7 +97,6 @@ static int machine_kexec_alloc_page_tabl !image->arch.pmd0 || !image->arch.pmd1 || #endif !image->arch.pte0 || !image->arch.pte1) { - machine_kexec_free_page_tables(image); return -ENOMEM; } return 0; --- a/arch/x86/kernel/machine_kexec_64.c +++ b/arch/x86/kernel/machine_kexec_64.c @@ -25,8 +25,11 @@ static void free_transition_pgtable(struct kimage *image) { free_page((unsigned long)image->arch.pud); + image->arch.pud = NULL; free_page((unsigned long)image->arch.pmd); + image->arch.pmd = NULL; free_page((unsigned long)image->arch.pte); + image->arch.pte = NULL; }
static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) @@ -67,7 +70,6 @@ static int init_transition_pgtable(struc set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, PAGE_KERNEL_EXEC)); return 0; err: - free_transition_pgtable(image); return result; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb upstream.
syzbot produced a nice report [1]
Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory to user space, because sin_zero (padding field) was not properly cleared.
[1] BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline] BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227 CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 copy_to_user include/linux/uaccess.h:184 [inline] move_addr_to_user+0x32e/0x530 net/socket.c:227 ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211 __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394 SyS_recvmmsg+0x76/0xa0 net/socket.c:2378 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x4401c9 RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9 RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0 R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000
Local variable description: ----addr@___sys_recvmsg Variable was created at: ___sys_recvmsg+0xd5/0x810 net/socket.c:2172 __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
Bytes 8-15 of 16 are uninitialized
================================================================== Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G B 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 panic+0x39d/0x940 kernel/panic.c:183 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083 kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 copy_to_user include/linux/uaccess.h:184 [inline] move_addr_to_user+0x32e/0x530 net/socket.c:227 ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211 __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394 SyS_recvmmsg+0x76/0xa0 net/socket.c:2378 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet edumazet@google.com Cc: Vlad Yasevich vyasevich@gmail.com Cc: Neil Horman nhorman@tuxdriver.com Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/sctp/ipv6.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -700,8 +700,10 @@ static int sctp_v6_addr_to_user(struct s sctp_v6_map_v4(addr); }
- if (addr->sa.sa_family == AF_INET) + if (addr->sa.sa_family == AF_INET) { + memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); return sizeof(struct sockaddr_in); + } return sizeof(struct sockaddr_in6); }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit 6b9f34239b00e6956a267abed2bc559ede556ad6 upstream.
l2tp_tunnel_create() inserts the new tunnel into the namespace's tunnel list and sets the socket's ->sk_user_data field, before returning it to the caller. Therefore, there are two ways the tunnel can be accessed and freed, before the caller even had the opportunity to take a reference. In practice, syzbot could crash the module by closing the socket right after a new tunnel was returned to pppol2tp_create().
This patch moves tunnel registration out of l2tp_tunnel_create(), so that the caller can safely hold a reference before publishing the tunnel. This second step is done with the new l2tp_tunnel_register() function, which is now responsible for associating the tunnel to its socket and for inserting it into the namespace's list.
While moving the code to l2tp_tunnel_register(), a few modifications have been done. First, the socket validation tests are done in a helper function, for clarity. Also, modifying the socket is now done after having inserted the tunnel to the namespace's tunnels list. This will allow insertion to fail, without having to revert theses modifications in the error path (a followup patch will check for duplicate tunnels before insertion). Either the socket is a kernel socket which we control, or it is a user-space socket for which we have a reference on the file descriptor. In any case, the socket isn't going to be closed from under us.
Reported-by: syzbot+fbeeb5c3b538e8545644@syzkaller.appspotmail.com Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: - Socket setup is open-coded rather than using setup_udp_tunnel_sock() - l2tp_nl_cmd_tunnel_create() doesn't call l2tp_tunnel_notify() Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/l2tp/l2tp_core.c | 192 ++++++++++++++++++---------------------- net/l2tp/l2tp_core.h | 3 + net/l2tp/l2tp_netlink.c | 16 +++- net/l2tp/l2tp_ppp.c | 9 ++ 4 files changed, 110 insertions(+), 110 deletions(-)
--- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -1560,74 +1560,11 @@ int l2tp_tunnel_create(struct net *net, { struct l2tp_tunnel *tunnel = NULL; int err; - struct socket *sock = NULL; - struct sock *sk = NULL; - struct l2tp_net *pn; enum l2tp_encap_type encap = L2TP_ENCAPTYPE_UDP;
- /* Get the tunnel socket from the fd, which was opened by - * the userspace L2TP daemon. If not specified, create a - * kernel socket. - */ - if (fd < 0) { - err = l2tp_tunnel_sock_create(net, tunnel_id, peer_tunnel_id, - cfg, &sock); - if (err < 0) - goto err; - } else { - sock = sockfd_lookup(fd, &err); - if (!sock) { - pr_err("tunl %u: sockfd_lookup(fd=%d) returned %d\n", - tunnel_id, fd, err); - err = -EBADF; - goto err; - } - - /* Reject namespace mismatches */ - if (!net_eq(sock_net(sock->sk), net)) { - pr_err("tunl %u: netns mismatch\n", tunnel_id); - err = -EINVAL; - goto err; - } - } - - sk = sock->sk; - if (cfg != NULL) encap = cfg->encap;
- /* Quick sanity checks */ - err = -EPROTONOSUPPORT; - if (sk->sk_type != SOCK_DGRAM) { - pr_debug("tunl %hu: fd %d wrong socket type\n", - tunnel_id, fd); - goto err; - } - switch (encap) { - case L2TP_ENCAPTYPE_UDP: - if (sk->sk_protocol != IPPROTO_UDP) { - pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", - tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP); - goto err; - } - break; - case L2TP_ENCAPTYPE_IP: - if (sk->sk_protocol != IPPROTO_L2TP) { - pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n", - tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP); - goto err; - } - break; - } - - /* Check if this socket has already been prepped */ - tunnel = l2tp_tunnel(sk); - if (tunnel != NULL) { - /* This socket has already been prepped */ - err = -EBUSY; - goto err; - } - tunnel = kzalloc(sizeof(struct l2tp_tunnel), GFP_KERNEL); if (tunnel == NULL) { err = -ENOMEM; @@ -1644,17 +1581,83 @@ int l2tp_tunnel_create(struct net *net, rwlock_init(&tunnel->hlist_lock); tunnel->acpt_newsess = true;
- /* The net we belong to */ - tunnel->l2tp_net = net; - pn = l2tp_pernet(net); - if (cfg != NULL) tunnel->debug = cfg->debug;
- /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ tunnel->encap = encap; - if (encap == L2TP_ENCAPTYPE_UDP) { - /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ + + atomic_set(&tunnel->ref_count, 1); + tunnel->fd = fd; + + /* Init delete workqueue struct */ + INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work); + + INIT_LIST_HEAD(&tunnel->list); + + err = 0; +err: + if (tunnelp) + *tunnelp = tunnel; + + return err; +} +EXPORT_SYMBOL_GPL(l2tp_tunnel_create); + +static int l2tp_validate_socket(const struct sock *sk, const struct net *net, + enum l2tp_encap_type encap) +{ + if (!net_eq(sock_net(sk), net)) + return -EINVAL; + + if (sk->sk_type != SOCK_DGRAM) + return -EPROTONOSUPPORT; + + if ((encap == L2TP_ENCAPTYPE_UDP && sk->sk_protocol != IPPROTO_UDP) || + (encap == L2TP_ENCAPTYPE_IP && sk->sk_protocol != IPPROTO_L2TP)) + return -EPROTONOSUPPORT; + + if (sk->sk_user_data) + return -EBUSY; + + return 0; +} + +int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + struct l2tp_tunnel_cfg *cfg) +{ + struct l2tp_net *pn; + struct socket *sock; + struct sock *sk; + int ret; + + if (tunnel->fd < 0) { + ret = l2tp_tunnel_sock_create(net, tunnel->tunnel_id, + tunnel->peer_tunnel_id, cfg, + &sock); + if (ret < 0) + goto err; + } else { + sock = sockfd_lookup(tunnel->fd, &ret); + if (!sock) + goto err; + + ret = l2tp_validate_socket(sock->sk, net, tunnel->encap); + if (ret < 0) + goto err_sock; + } + + sk = sock->sk; + + sock_hold(sk); + tunnel->sock = sk; + tunnel->l2tp_net = net; + + pn = l2tp_pernet(net); + spin_lock_bh(&pn->l2tp_tunnel_list_lock); + list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list); + spin_unlock_bh(&pn->l2tp_tunnel_list_lock); + + if (tunnel->encap == L2TP_ENCAPTYPE_UDP) { udp_sk(sk)->encap_type = UDP_ENCAP_L2TPINUDP; udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv; udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy; @@ -1668,49 +1671,23 @@ int l2tp_tunnel_create(struct net *net,
sk->sk_user_data = tunnel;
- /* Bump the reference count. The tunnel context is deleted - * only when this drops to zero. A reference is also held on - * the tunnel socket to ensure that it is not released while - * the tunnel is extant. Must be done before sk_destruct is - * set. - */ - atomic_set(&tunnel->ref_count, 1); - sock_hold(sk); - tunnel->sock = sk; - tunnel->fd = fd; - - /* Hook on the tunnel socket destructor so that we can cleanup - * if the tunnel socket goes away. - */ tunnel->old_sk_destruct = sk->sk_destruct; sk->sk_destruct = &l2tp_tunnel_destruct; - lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock"); - + lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, + "l2tp_sock"); sk->sk_allocation = GFP_ATOMIC;
- /* Init delete workqueue struct */ - INIT_WORK(&tunnel->del_work, l2tp_tunnel_del_work); + if (tunnel->fd >= 0) + sockfd_put(sock);
- /* Add tunnel to our list */ - INIT_LIST_HEAD(&tunnel->list); - spin_lock_bh(&pn->l2tp_tunnel_list_lock); - list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list); - spin_unlock_bh(&pn->l2tp_tunnel_list_lock); + return 0;
- err = 0; +err_sock: + sockfd_put(sock); err: - if (tunnelp) - *tunnelp = tunnel; - - /* If tunnel's socket was created by the kernel, it doesn't - * have a file. - */ - if (sock && sock->file) - sockfd_put(sock); - - return err; + return ret; } -EXPORT_SYMBOL_GPL(l2tp_tunnel_create); +EXPORT_SYMBOL_GPL(l2tp_tunnel_register);
/* This function is used by the netlink TUNNEL_DELETE command. */ --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -246,6 +246,9 @@ struct l2tp_tunnel *l2tp_tunnel_find_nth int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp); +int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net, + struct l2tp_tunnel_cfg *cfg); + void l2tp_tunnel_closeall(struct l2tp_tunnel *tunnel); void l2tp_tunnel_delete(struct l2tp_tunnel *tunnel); struct l2tp_session *l2tp_session_create(int priv_size, --- a/net/l2tp/l2tp_netlink.c +++ b/net/l2tp/l2tp_netlink.c @@ -192,6 +192,17 @@ static int l2tp_nl_cmd_tunnel_create(str break; }
+ if (ret < 0) + goto out; + + l2tp_tunnel_inc_refcount(tunnel); + ret = l2tp_tunnel_register(tunnel, net, &cfg); + if (ret < 0) { + kfree(tunnel); + goto out; + } + l2tp_tunnel_dec_refcount(tunnel); + out: return ret; } --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -720,6 +720,15 @@ static int pppol2tp_connect(struct socke error = l2tp_tunnel_create(sock_net(sk), fd, ver, tunnel_id, peer_tunnel_id, &tcfg, &tunnel); if (error < 0) goto end; + + l2tp_tunnel_inc_refcount(tunnel); + error = l2tp_tunnel_register(tunnel, sock_net(sk), + &tcfg); + if (error < 0) { + kfree(tunnel); + goto end; + } + drop_tunnel = true; } } else { /* Error if we can't find the tunnel */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alan Cox alan@llwyncelyn.cymru
commit 8a8dabf2dd68caff842d38057097c23bc514ea6e upstream.
Historically the N_TTY driver could never fail but this has become broken over time. Rather than trying to rewrite half the ldisc layer to fix the breakage introduce a second level of fallback with an N_NULL ldisc which cannot fail, and thus restore the guarantees required by the ldisc layer.
We still try and fail to N_TTY first. It's much more useful to find yourself back in your old ldisc (first attempt) or in N_TTY (second attempt), and while I'm not aware of any code out there that makes those assumptions it's good to drive(r) defensively.
Signed-off-by: Alan Cox alan@linux.intel.com Reported-by: Dmitry Vyukov dvyukov@google.com Tested-by: Dmitry Vyukov dvyukov@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/tty/Makefile +++ b/drivers/tty/Makefile @@ -1,5 +1,6 @@ obj-$(CONFIG_TTY) += tty_io.o n_tty.o tty_ioctl.o tty_ldisc.o \ - tty_buffer.o tty_port.o tty_mutex.o tty_ldsem.o + tty_buffer.o tty_port.o tty_mutex.o \ + tty_ldsem.o n_null.o obj-$(CONFIG_LEGACY_PTYS) += pty.o obj-$(CONFIG_UNIX98_PTYS) += pty.o obj-$(CONFIG_AUDIT) += tty_audit.o --- /dev/null +++ b/drivers/tty/n_null.c @@ -0,0 +1,80 @@ +#include <linux/types.h> +#include <linux/errno.h> +#include <linux/tty.h> +#include <linux/module.h> + +/* + * n_null.c - Null line discipline used in the failure path + * + * Copyright (C) Intel 2017 + * + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + */ + +static int n_null_open(struct tty_struct *tty) +{ + return 0; +} + +static void n_null_close(struct tty_struct *tty) +{ +} + +static ssize_t n_null_read(struct tty_struct *tty, struct file *file, + unsigned char __user * buf, size_t nr) +{ + return -EOPNOTSUPP; +} + +static ssize_t n_null_write(struct tty_struct *tty, struct file *file, + const unsigned char *buf, size_t nr) +{ + return -EOPNOTSUPP; +} + +static void n_null_receivebuf(struct tty_struct *tty, + const unsigned char *cp, char *fp, + int cnt) +{ +} + +static struct tty_ldisc_ops null_ldisc = { + .owner = THIS_MODULE, + .magic = TTY_LDISC_MAGIC, + .name = "n_null", + .open = n_null_open, + .close = n_null_close, + .read = n_null_read, + .write = n_null_write, + .receive_buf = n_null_receivebuf +}; + +static int __init n_null_init(void) +{ + BUG_ON(tty_register_ldisc(N_NULL, &null_ldisc)); + return 0; +} + +static void __exit n_null_exit(void) +{ + tty_unregister_ldisc(N_NULL); +} + +module_init(n_null_init); +module_exit(n_null_exit); + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Alan Cox"); +MODULE_ALIAS_LDISC(N_NULL); +MODULE_DESCRIPTION("Null ldisc driver"); --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -474,6 +474,29 @@ static void tty_ldisc_close(struct tty_s }
/** + * tty_ldisc_failto - helper for ldisc failback + * @tty: tty to open the ldisc on + * @ld: ldisc we are trying to fail back to + * + * Helper to try and recover a tty when switching back to the old + * ldisc fails and we need something attached. + */ + +static int tty_ldisc_failto(struct tty_struct *tty, int ld) +{ + struct tty_ldisc *disc = tty_ldisc_get(tty, ld); + int r; + + if (IS_ERR(disc)) + return PTR_ERR(disc); + tty->ldisc = disc; + tty_set_termios_ldisc(tty, ld); + if ((r = tty_ldisc_open(tty, disc)) < 0) + tty_ldisc_put(disc); + return r; +} + +/** * tty_ldisc_restore - helper for tty ldisc change * @tty: tty to recover * @old: previous ldisc @@ -485,8 +508,6 @@ static void tty_ldisc_close(struct tty_s static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old) { char buf[64]; - struct tty_ldisc *new_ldisc; - int r;
/* There is an outstanding reference here so this is safe */ old = tty_ldisc_get(tty, old->ops->num); @@ -495,17 +516,13 @@ static void tty_ldisc_restore(struct tty tty_set_termios_ldisc(tty, old->ops->num); if (tty_ldisc_open(tty, old) < 0) { tty_ldisc_put(old); - /* This driver is always present */ - new_ldisc = tty_ldisc_get(tty, N_TTY); - if (IS_ERR(new_ldisc)) - panic("n_tty: get"); - tty->ldisc = new_ldisc; - tty_set_termios_ldisc(tty, N_TTY); - r = tty_ldisc_open(tty, new_ldisc); - if (r < 0) - panic("Couldn't open N_TTY ldisc for " - "%s --- error %d.", - tty_name(tty, buf), r); + /* The traditional behaviour is to fall back to N_TTY, we + want to avoid falling back to N_NULL unless we have no + choice to avoid the risk of breaking anything */ + if (tty_ldisc_failto(tty, N_TTY) < 0 && + tty_ldisc_failto(tty, N_NULL) < 0) + panic("Couldn't open N_NULL ldisc for %s.", + tty_name(tty, buf)); } }
--- a/include/uapi/linux/tty.h +++ b/include/uapi/linux/tty.h @@ -34,5 +34,6 @@ #define N_TI_WL 22 /* for TI's WL BT, FM, GPS combo chips */ #define N_TRACESINK 23 /* Trace data routing for MIPI P1149.7 */ #define N_TRACEROUTER 24 /* Trace data routing for MIPI P1149.7 */ +#define N_NULL 27 /* Null ldisc used for error handling */
#endif /* _UAPI_LINUX_TTY_H */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso dave@stgolabs.net
commit a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 upstream.
Patch series "ipc/shm: shmat() fixes around nil-page".
These patches fix two issues reported[1] a while back by Joe and Andrea around how shmat(2) behaves with nil-page.
The first reverts a commit that it was incorrectly thought that mapping nil-page (address=0) was a no no with MAP_FIXED. This is not the case, with the exception of SHM_REMAP; which is address in the second patch.
I chose two patches because it is easier to backport and it explicitly reverts bogus behaviour. Both patches ought to be in -stable and ltp testcases need updated (the added testcase around the cve can be modified to just test for SHM_RND|SHM_REMAP).
[1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805
This patch (of 2):
Commit 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") worked on the idea that we should not be mapping as root addr=0 and MAP_FIXED. However, it was reported that this scenario is in fact valid, thus making the patch both bogus and breaks userspace as well.
For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem initialization[1].
[1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/i... Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net Fixes: 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") Signed-off-by: Davidlohr Bueso dbueso@suse.de Reported-by: Joe Lawrence joe.lawrence@redhat.com Reported-by: Andrea Arcangeli aarcange@redhat.com Cc: Manfred Spraul manfred@colorfullife.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- ipc/shm.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-)
--- a/ipc/shm.c +++ b/ipc/shm.c @@ -1112,13 +1112,8 @@ long do_shmat(int shmid, char __user *sh goto out; else if ((addr = (ulong)shmaddr)) { if (addr & (shmlba - 1)) { - /* - * Round down to the nearest multiple of shmlba. - * For sane do_mmap_pgoff() parameters, avoid - * round downs that trigger nil-page and MAP_FIXED. - */ - if ((shmflg & SHM_RND) && addr >= shmlba) - addr &= ~(shmlba - 1); + if (shmflg & SHM_RND) + addr &= ~(shmlba - 1); /* round down */ else #ifndef __ARCH_FORCE_SHMLBA if (addr & ~PAGE_MASK)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit c66b23c2840446a82c389e4cb1a12eb2a71fa2e4 upstream.
jffs2_fill_super() might fail to allocate jffs2_sb_info; jffs2_kill_sb() must survive that.
Signed-off-by: Al Viro viro@zeniv.linux.org.uk [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/jffs2/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/jffs2/super.c +++ b/fs/jffs2/super.c @@ -345,7 +345,7 @@ static void jffs2_put_super (struct supe static void jffs2_kill_sb(struct super_block *sb) { struct jffs2_sb_info *c = JFFS2_SB_INFO(sb); - if (!(sb->s_flags & MS_RDONLY)) + if (c && !(sb->s_flags & MS_RDONLY)) jffs2_stop_garbage_collect_thread(c); kill_mtd_super(sb); kfree(c);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wenwen Wang wang6495@umn.edu
commit 3f12888dfae2a48741c4caa9214885b3aaf350f9 upstream.
In snd_ctl_elem_add_compat(), the fields of the struct 'data' need to be copied from the corresponding fields of the struct 'data32' in userspace. This is achieved by invoking copy_from_user() and get_user() functions. The problem here is that the 'type' field is copied twice. One is by copy_from_user() and one is by get_user(). Given that the 'type' field is not used between the two copies, the second copy is *completely* redundant and should be removed for better performance and cleanup. Also, these two copies can cause inconsistent data: as the struct 'data32' resides in userspace and a malicious userspace process can race to change the 'type' field between the two copies to cause inconsistent data. Depending on how the data is used in the future, such an inconsistency may cause potential security risks.
For above reasons, we should take out the second copy.
Signed-off-by: Wenwen Wang wang6495@umn.edu Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/control_compat.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/sound/core/control_compat.c +++ b/sound/core/control_compat.c @@ -400,8 +400,7 @@ static int snd_ctl_elem_add_compat(struc if (copy_from_user(&data->id, &data32->id, sizeof(data->id)) || copy_from_user(&data->type, &data32->type, 3 * sizeof(u32))) goto error; - if (get_user(data->owner, &data32->owner) || - get_user(data->type, &data32->type)) + if (get_user(data->owner, &data32->owner)) goto error; switch (data->type) { case SNDRV_CTL_ELEM_TYPE_BOOLEAN:
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit f726214d9b23e5fce8c11937577a289a3202498f upstream.
Use l2tp_tunnel_get_nth() instead of l2tp_tunnel_find_nth(), to be safe against concurrent tunnel deletion.
Use the same mechanism as in l2tp_ppp.c for dropping the reference taken by l2tp_tunnel_get_nth(). That is, drop the reference just before looking up the next tunnel. In case of error, drop the last accessed tunnel in l2tp_dfs_seq_stop().
That was the last use of l2tp_tunnel_find_nth().
Fixes: 0ad6614048cf ("l2tp: Add debugfs files for dumping l2tp debug info") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/l2tp/l2tp_core.c | 20 -------------------- net/l2tp/l2tp_core.h | 1 - net/l2tp/l2tp_debugfs.c | 15 +++++++++++++-- 3 files changed, 13 insertions(+), 23 deletions(-)
--- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -415,26 +415,6 @@ err_tlock: } EXPORT_SYMBOL_GPL(l2tp_session_register);
-struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth) -{ - struct l2tp_net *pn = l2tp_pernet(net); - struct l2tp_tunnel *tunnel; - int count = 0; - - rcu_read_lock_bh(); - list_for_each_entry_rcu(tunnel, &pn->l2tp_tunnel_list, list) { - if (++count > nth) { - rcu_read_unlock_bh(); - return tunnel; - } - } - - rcu_read_unlock_bh(); - - return NULL; -} -EXPORT_SYMBOL_GPL(l2tp_tunnel_find_nth); - /***************************************************************************** * Receive data handling *****************************************************************************/ --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -242,7 +242,6 @@ struct l2tp_session *l2tp_session_get_nt struct l2tp_session *l2tp_session_get_by_ifname(const struct net *net, const char *ifname, bool do_ref); -struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth);
int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, --- a/net/l2tp/l2tp_debugfs.c +++ b/net/l2tp/l2tp_debugfs.c @@ -47,7 +47,11 @@ struct l2tp_dfs_seq_data {
static void l2tp_dfs_next_tunnel(struct l2tp_dfs_seq_data *pd) { - pd->tunnel = l2tp_tunnel_find_nth(pd->net, pd->tunnel_idx); + /* Drop reference taken during previous invocation */ + if (pd->tunnel) + l2tp_tunnel_dec_refcount(pd->tunnel); + + pd->tunnel = l2tp_tunnel_get_nth(pd->net, pd->tunnel_idx); pd->tunnel_idx++; }
@@ -96,7 +100,14 @@ static void *l2tp_dfs_seq_next(struct se
static void l2tp_dfs_seq_stop(struct seq_file *p, void *v) { - /* nothing to do */ + struct l2tp_dfs_seq_data *pd = v; + + if (!pd || pd == SEQ_START_TOKEN) + return; + + /* Drop reference taken by last invocation of l2tp_dfs_next_tunnel() */ + if (pd->tunnel) + l2tp_tunnel_dec_refcount(pd->tunnel); }
static void l2tp_dfs_seq_tunnel_show(struct seq_file *m, void *v)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Yan, Zheng" zyan@redhat.com
commit ffdeec7aa41aa61ca4ee68fddf4669df9ce661d1 upstream.
For new inode, atime/mtime/ctime are uninitialized. Don't compare against them.
Signed-off-by: "Yan, Zheng" zyan@redhat.com Reviewed-by: Ilya Dryomov idryomov@gmail.com Signed-off-by: Ilya Dryomov idryomov@gmail.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ceph/inode.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
--- a/fs/ceph/inode.c +++ b/fs/ceph/inode.c @@ -599,13 +599,15 @@ void ceph_fill_file_time(struct inode *i CEPH_CAP_FILE_BUFFER| CEPH_CAP_AUTH_EXCL| CEPH_CAP_XATTR_EXCL)) { - if (timespec_compare(ctime, &inode->i_ctime) > 0) { + if (ci->i_version == 0 || + timespec_compare(ctime, &inode->i_ctime) > 0) { dout("ctime %ld.%09ld -> %ld.%09ld inc w/ cap\n", inode->i_ctime.tv_sec, inode->i_ctime.tv_nsec, ctime->tv_sec, ctime->tv_nsec); inode->i_ctime = *ctime; } - if (ceph_seq_cmp(time_warp_seq, ci->i_time_warp_seq) > 0) { + if (ci->i_version == 0 || + ceph_seq_cmp(time_warp_seq, ci->i_time_warp_seq) > 0) { /* the MDS did a utimes() */ dout("mtime %ld.%09ld -> %ld.%09ld " "tw %d -> %d\n", @@ -719,7 +721,6 @@ static int fill_inode(struct inode *inod new_issued = ~issued & le32_to_cpu(info->cap.caps);
/* update inode */ - ci->i_version = le64_to_cpu(info->version); inode->i_version++; inode->i_rdev = le32_to_cpu(info->rdev); inode->i_blkbits = fls(le32_to_cpu(info->layout.fl_stripe_unit)) - 1; @@ -779,6 +780,9 @@ static int fill_inode(struct inode *inod xattr_blob = NULL; }
+ /* finally update i_version */ + ci->i_version = le64_to_cpu(info->version); + inode->i_mapping->a_ops = &ceph_aops; inode->i_mapping->backing_dev_info = &ceph_sb_to_client(inode->i_sb)->backing_dev_info;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael S. Tsirkin" mst@redhat.com
commit 24a7e4d20783c0514850f24a5c41ede46ab058f0 upstream.
For cleanup it's helpful to be able to simply scan all vqs and discard all data. Add an iterator to do that.
Signed-off-by: Michael S. Tsirkin mst@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/linux/virtio.h | 3 +++ 1 file changed, 3 insertions(+)
--- a/include/linux/virtio.h +++ b/include/linux/virtio.h @@ -108,6 +108,9 @@ void unregister_virtio_device(struct vir
void virtio_break_device(struct virtio_device *dev);
+#define virtio_device_for_each_vq(vdev, vq) \ + list_for_each_entry(vq, &vdev->vqs, list) + /** * virtio_driver - operations for a virtio I/O driver * @driver: underlying device driver (populate name and owner).
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vasily Gorbik gor@linux.ibm.com
commit 15deb080a6087b73089139569558965750e69d67 upstream.
When loadparm is set in reipl parm block, the kernel should also set DIAG308_FLAGS_LP_VALID flag.
This fixes loadparm ignoring during z/VM fcp -> ccw reipl and kvm direct boot -> ccw reipl.
Reviewed-by: Heiko Carstens heiko.carstens@de.ibm.com Signed-off-by: Vasily Gorbik gor@linux.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/s390/kernel/ipl.c | 1 + 1 file changed, 1 insertion(+)
--- a/arch/s390/kernel/ipl.c +++ b/arch/s390/kernel/ipl.c @@ -825,6 +825,7 @@ static ssize_t reipl_generic_loadparm_st /* copy and convert to ebcdic */ memcpy(ipb->ipl_info.ccw.load_parm, buf, lp_len); ASCEBC(ipb->ipl_info.ccw.load_parm, LOADPARM_LEN); + ipb->hdr.flags |= DIAG308_FLAGS_LP_VALID; return len; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Rosin peda@axentia.se
commit 35cd67a0caf767aba472452865dcb4471fcce2b1 upstream.
Returning zero is wrong in this case.
Signed-off-by: Peter Rosin peda@axentia.se Signed-off-by: Wolfram Sang wsa@the-dreams.de Fixes: 174a13aa8669 ("i2c: Add viperboard i2c master driver") Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/i2c/busses/i2c-viperboard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-viperboard.c +++ b/drivers/i2c/busses/i2c-viperboard.c @@ -341,7 +341,7 @@ static int vprbrd_i2c_xfer(struct i2c_ad } mutex_unlock(&vb->lock); } - return 0; + return num; error: mutex_unlock(&vb->lock); return error;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chris Metcalf cmetcalf@ezchip.com
commit 19c22f3a29fa8669c477f20a65f6c7c27108972a upstream.
arch/tile added word-at-a-time.h after the patch that added generic-y entries; the generic-y entry is now stale.
arch/h8300 is newer than the generic-y patch for word-at-a-time.h, and needs a generic-y entry.
arch/powerpc seems to have gotten a generic-y entry by mistake in the first patch; this change removes it.
Signed-off-by: Chris Metcalf cmetcalf@ezchip.com [bwh: Backported to 3.16: - Drop change in arch/h8300, which doesn't exist here - Drop change in arch/tile, which is still using the generic implementation] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/powerpc/include/asm/Kbuild +++ b/arch/powerpc/include/asm/Kbuild @@ -6,4 +6,3 @@ generic-y += preempt.h generic-y += rwsem.h generic-y += trace_clock.h generic-y += vtime.h -generic-y += word-at-a-time.h
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Markus Elfring elfring@users.sourceforge.net
commit f9815f945aff2204b8afbbb9d2182024eb44a194 upstream.
Replace an error code for the indication of a memory allocation failure in this function.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2: Initial git repository build") Suggested-by: Rolf Eike Beer eike-kernel@sf-tec.de Signed-off-by: Markus Elfring elfring@users.sourceforge.net Cc: Helge Deller deller@gmx.de Cc: "James E. J. Bottomley" jejb@parisc-linux.org Signed-off-by: Bartlomiej Zolnierkiewicz b.zolnierkie@samsung.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/video/fbdev/stifb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/stifb.c +++ b/drivers/video/fbdev/stifb.c @@ -1091,7 +1091,7 @@ static int __init stifb_init_fb(struct s fb = kzalloc(sizeof(*fb), GFP_ATOMIC); if (!fb) { printk(KERN_ERR "stifb: Could not allocate stifb structure\n"); - return -ENODEV; + return -ENOMEM; } info = &fb->info;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (VMware)" rostedt@goodmis.org
commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d upstream.
The regex match function regex_match_front() in the tracing filter logic, was fixed to test just the pattern length from testing the entire test string. That is, it went from strncmp(str, r->pattern, len) to strcmp(str, r->pattern, r->len).
The issue is that str is not guaranteed to be nul terminated, and if r->len is greater than the length of str, it can access more memory than is allocated.
The solution is to add a simple test if (len < r->len) return 0.
Fixes: 285caad415f45 ("tracing/filters: Fix MATCH_FRONT_ONLY filter matching") Signed-off-by: Steven Rostedt (VMware) rostedt@goodmis.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/trace/trace_events_filter.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -273,6 +273,9 @@ static int regex_match_full(char *str, s
static int regex_match_front(char *str, struct regex *r, int len) { + if (len < r->len) + return 0; + if (strncmp(str, r->pattern, r->len) == 0) return 1; return 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit 6091f09c2f79730d895149bcfe3d66140288cd0e upstream.
syzbot reported :
BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline] BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/netlink/af_netlink.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1658,6 +1658,8 @@ static int netlink_sendmsg(struct kiocb
if (msg->msg_namelen) { err = -EINVAL; + if (msg->msg_namelen < sizeof(struct sockaddr_nl)) + goto out; if (addr->nl_family != AF_NETLINK) goto out; dst_portid = addr->nl_pid;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kai-Heng Feng kai.heng.feng@canonical.com
commit afb133637071be6deeb8b3d0e55593ffbf63c527 upstream.
The sky2 ethernet stops working after system resume from suspend: [ 582.852065] sky2 0000:04:00.0: Refused to change power state, currently in D3
The current 150ms delay is not enough, change it to 200ms can solve the issue.
BugLink: https://bugs.launchpad.net/bugs/1758507 Signed-off-by: Kai-Heng Feng kai.heng.feng@canonical.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/marvell/sky2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/sky2.c +++ b/drivers/net/ethernet/marvell/sky2.c @@ -5070,7 +5070,7 @@ static int sky2_probe(struct pci_dev *pd INIT_WORK(&hw->restart_work, sky2_restart);
pci_set_drvdata(pdev, hw); - pdev->d3_delay = 150; + pdev->d3_delay = 200;
return 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit a49e2f5d5fb141884452ddb428f551b123d436b5 upstream.
We must validate sockaddr_len, otherwise userspace can pass fewer data than we expect and we end up accessing invalid data.
Fixes: 224cf5ad14c0 ("ppp: Move the PPP drivers") Reported-by: syzbot+4f03bdf92fdf9ef5ddab@syzkaller.appspotmail.com Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ppp/pppoe.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/net/ppp/pppoe.c +++ b/drivers/net/ppp/pppoe.c @@ -615,6 +615,10 @@ static int pppoe_connect(struct socket * lock_sock(sk);
error = -EINVAL; + + if (sockaddr_len != sizeof(struct sockaddr_pppox)) + goto end; + if (sp->sa_protocol != PX_PROTO_OE) goto end;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Long Li longli@microsoft.com
commit 2796d303e3c5ec213c578ed3a66872205c126eb8 upstream.
The data buffer allocated on the stack can't be DMA'ed, ib_dma_map_page will return an invalid DMA address for a buffer on stack. Even worse, this incorrect address can't be detected by ib_dma_mapping_error. Sending data from this address to hardware will not fail, but the remote peer will get junk data.
Fix this by allocating the request on the heap in smb3_validate_negotiate.
Changes in v2: Removed duplicated code on freeing buffers on function exit. (Thanks to Parav Pandit parav@mellanox.com) Fixed typo in the patch title.
Changes in v3: Added "Fixes" to the patch. Changed several sizeof() to use *pointer in place of struct.
Changes in v4: Added detailed comments on the failure through RDMA. Allocate request buffer using GPF_NOFS. Fixed possible memory leak.
Changes in v5: Removed variable ret for checking return value. Changed to use pneg_inbuf->Dialects[0] to calculate unused space in pneg_inbuf.
Fixes: ff1c038addc4 ("Check SMB3 dialects against downgrade attacks") Signed-off-by: Long Li longli@microsoft.com Signed-off-by: Steve French stfrench@microsoft.com Reviewed-by: Ronnie Sahlberg lsahlber@redhat.com Reviewed-by: Tom Talpey ttalpey@microsoft.com [bwh: Backported to 3.16: We only ever pass one dialect] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/cifs/smb2pdu.c | 68 ++++++++++++++++++++++++++--------------------- 1 file changed, 38 insertions(+), 30 deletions(-)
--- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -477,8 +477,8 @@ neg_exit:
int smb3_validate_negotiate(const unsigned int xid, struct cifs_tcon *tcon) { - int rc = 0; - struct validate_negotiate_info_req vneg_inbuf; + int rc; + struct validate_negotiate_info_req *pneg_inbuf; struct validate_negotiate_info_rsp *pneg_rsp = NULL; u32 rsplen;
@@ -502,42 +502,47 @@ int smb3_validate_negotiate(const unsign if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL) cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent by server\n");
- vneg_inbuf.Capabilities = + pneg_inbuf = kmalloc(sizeof(*pneg_inbuf), GFP_NOFS); + if (!pneg_inbuf) + return -ENOMEM; + + pneg_inbuf->Capabilities = cpu_to_le32(tcon->ses->server->vals->req_capabilities); - memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid, + memcpy(pneg_inbuf->Guid, tcon->ses->server->client_guid, SMB2_CLIENT_GUID_SIZE);
if (tcon->ses->sign) - vneg_inbuf.SecurityMode = + pneg_inbuf->SecurityMode = cpu_to_le16(SMB2_NEGOTIATE_SIGNING_REQUIRED); else if (global_secflags & CIFSSEC_MAY_SIGN) - vneg_inbuf.SecurityMode = + pneg_inbuf->SecurityMode = cpu_to_le16(SMB2_NEGOTIATE_SIGNING_ENABLED); else - vneg_inbuf.SecurityMode = 0; + pneg_inbuf->SecurityMode = 0;
- vneg_inbuf.DialectCount = cpu_to_le16(1); - vneg_inbuf.Dialects[0] = + pneg_inbuf->DialectCount = cpu_to_le16(1); + pneg_inbuf->Dialects[0] = cpu_to_le16(tcon->ses->server->vals->protocol_id);
rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID, FSCTL_VALIDATE_NEGOTIATE_INFO, true /* is_fsctl */, - (char *)&vneg_inbuf, sizeof(struct validate_negotiate_info_req), + (char *)pneg_inbuf, sizeof(struct validate_negotiate_info_req), (char **)&pneg_rsp, &rsplen);
if (rc != 0) { cifs_dbg(VFS, "validate protocol negotiate failed: %d\n", rc); - return -EIO; + rc = -EIO; + goto out_free_inbuf; }
- if (rsplen != sizeof(struct validate_negotiate_info_rsp)) { + rc = -EIO; + if (rsplen != sizeof(*pneg_rsp)) { cifs_dbg(VFS, "invalid protocol negotiate response size: %d\n", rsplen);
/* relax check since Mac returns max bufsize allowed on ioctl */ - if ((rsplen > CIFSMaxBufSize) - || (rsplen < sizeof(struct validate_negotiate_info_rsp))) - goto err_rsp_free; + if (rsplen > CIFSMaxBufSize || rsplen < sizeof(*pneg_rsp)) + goto out_free_rsp; }
/* check validate negotiate info response matches what we got earlier */ @@ -554,15 +559,17 @@ int smb3_validate_negotiate(const unsign goto vneg_out;
/* validate negotiate successful */ + rc = 0; cifs_dbg(FYI, "validate negotiate info successful\n"); - kfree(pneg_rsp); - return 0; + goto out_free_rsp;
vneg_out: cifs_dbg(VFS, "protocol revalidation - security settings mismatch\n"); -err_rsp_free: +out_free_rsp: kfree(pneg_rsp); - return -EIO; +out_free_inbuf: + kfree(pneg_inbuf); + return rc; }
int
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shuah Khan shuahkh@osg.samsung.com
commit 9020a7efe537856eb3e826ebebdf38a5d07a7857 upstream.
vhci_hcd fails to do reset to put usb device and sockfd in the module remove/stop paths. Fix the leak.
Signed-off-by: Shuah Khan shuahkh@osg.samsung.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/usbip/usbip_common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/usbip/usbip_common.h +++ b/drivers/staging/usbip/usbip_common.h @@ -248,7 +248,7 @@ enum usbip_side { #define SDEV_EVENT_ERROR_SUBMIT (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) #define SDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
-#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_BYE) +#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE) #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) #define VDEV_EVENT_ERROR_TCP (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rodrigo Rivas Costa rodrigorivascosta@gmail.com
commit a955358d54695e4ad9f7d6489a7ac4d69a8fc711 upstream.
Doing `ioctl(HIDIOCGFEATURE)` in a tight loop on a hidraw device and then disconnecting the device, or unloading the driver, can cause a NULL pointer dereference.
When a hidraw device is destroyed it sets 0 to `dev->exist`. Most functions check 'dev->exist' before doing its work, but `hidraw_get_report()` was missing that check.
Signed-off-by: Rodrigo Rivas Costa rodrigorivascosta@gmail.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/hidraw.c | 5 +++++ 1 file changed, 5 insertions(+)
--- a/drivers/hid/hidraw.c +++ b/drivers/hid/hidraw.c @@ -197,6 +197,11 @@ static ssize_t hidraw_get_report(struct int ret = 0, len; unsigned char report_number;
+ if (!hidraw_table[minor] || !hidraw_table[minor]->exist) { + ret = -ENODEV; + goto out; + } + dev = hidraw_table[minor]->hid;
if (!dev->ll_driver->raw_request) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 7f054a5bee0987f1e2d4e59daea462421c76f2cb upstream.
As recently Smatch suggested, one place in OPL3 driver may expand the array directly from the user-space value with speculation: sound/drivers/opl3/opl3_synth.c:476 snd_opl3_set_voice() warn: potential spectre issue 'snd_opl3_regmap'
This patch puts array_index_nospec() for hardening against it.
BugLink: https://marc.info/?l=linux-kernel&m=152411496503418&w=2 Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/drivers/opl3/opl3_synth.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
--- a/sound/drivers/opl3/opl3_synth.c +++ b/sound/drivers/opl3/opl3_synth.c @@ -21,6 +21,7 @@
#include <linux/slab.h> #include <linux/export.h> +#include <linux/nospec.h> #include <sound/opl3.h> #include <sound/asound_fm.h>
@@ -448,7 +449,7 @@ static int snd_opl3_set_voice(struct snd { unsigned short reg_side; unsigned char op_offset; - unsigned char voice_offset; + unsigned char voice_offset, voice_op;
unsigned short opl3_reg; unsigned char reg_val; @@ -473,7 +474,9 @@ static int snd_opl3_set_voice(struct snd voice_offset = voice->voice - MAX_OPL2_VOICES; } /* Get register offset of operator */ - op_offset = snd_opl3_regmap[voice_offset][voice->op]; + voice_offset = array_index_nospec(voice_offset, MAX_OPL2_VOICES); + voice_op = array_index_nospec(voice->op, 4); + op_offset = snd_opl3_regmap[voice_offset][voice_op];
reg_val = 0x00; /* Set amplitude modulation (tremolo) effect */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marc Dionne marc.dionne@auristor.com
commit fd2498211a551fd42b2d6b9050d649d43536e75c upstream.
The AFS_ACE_READ and AFS_ACE_WRITE permission bits should not be used to make access decisions for the directory itself. They are meant to control access for the objects contained in that directory.
Reading a directory is allowed if the AFS_ACE_LOOKUP bit is set. This would cause an incorrect access denied error for a directory with AFS_ACE_LOOKUP but not AFS_ACE_READ.
The AFS_ACE_WRITE bit does not allow operations that modify the directory. For a directory with AFS_ACE_WRITE but neither AFS_ACE_INSERT nor AFS_ACE_DELETE, this would result in trying operations that would ultimately be denied by the server.
Signed-off-by: Marc Dionne marc.dionne@auristor.com Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/afs/security.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/afs/security.c +++ b/fs/afs/security.c @@ -327,12 +327,11 @@ int afs_permission(struct inode *inode, if (!(access & AFS_ACE_LOOKUP)) goto permission_denied; } else if (mask & MAY_READ) { - if (!(access & AFS_ACE_READ)) + if (!(access & AFS_ACE_LOOKUP)) goto permission_denied; } else if (mask & MAY_WRITE) { if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ - AFS_ACE_INSERT | /* create, mkdir, symlink, rename to */ - AFS_ACE_WRITE))) /* chmod */ + AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ goto permission_denied; } else { BUG();
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Borisov nborisov@suse.com
commit efd38150af45375b46576d0110a323d7fab7e142 upstream.
If btrfs_transaction_commit fails it will proceed to call cleanup_transaction, which in turn already does btrfs_abort_transaction. So let's remove the unnecessary code duplication. Also let's be explicit about handling failure of btrfs_uuid_tree_add by calling btrfs_end_transaction.
Signed-off-by: Nikolay Borisov nborisov@suse.com Reviewed-by: David Sterba dsterba@suse.com Signed-off-by: David Sterba dsterba@suse.com [bwh: Backported to 3.16: - btrfs_{abort,end}_transaction() take a pointer to btrfs_root - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/btrfs/ioctl.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-)
--- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -5077,15 +5077,11 @@ static long _btrfs_ioctl_set_received_su root->root_key.objectid); if (ret < 0 && ret != -EEXIST) { btrfs_abort_transaction(trans, root, ret); + btrfs_end_transaction(trans, root); goto out; } } ret = btrfs_commit_transaction(trans, root); - if (ret < 0) { - btrfs_abort_transaction(trans, root, ret); - goto out; - } - out: up_write(&root->fs_info->subvol_sem); mnt_drop_write_file(file);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Prakash Kamliya pkamliya@codeaurora.org
commit 62e3a3e342af3c313ab38603811ecdb1fcc79edb upstream.
get_pages doesn't keep a reference of the pages allocated when it fails later in the code path. This can lead to a memory leak. Keep reference of the allocated pages so that it can be freed when msm_gem_free_object gets called later during cleanup.
Signed-off-by: Prakash Kamliya pkamliya@codeaurora.org Signed-off-by: Sharat Masetty smasetty@codeaurora.org Signed-off-by: Rob Clark robdclark@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/msm/msm_gem.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/msm/msm_gem.c +++ b/drivers/gpu/drm/msm/msm_gem.c @@ -83,14 +83,17 @@ static struct page **get_pages(struct dr return p; }
+ msm_obj->pages = p; + msm_obj->sgt = drm_prime_pages_to_sg(p, npages); if (IS_ERR(msm_obj->sgt)) { + void *ptr = ERR_CAST(msm_obj->sgt); + dev_err(dev->dev, "failed to allocate sgt\n"); - return ERR_CAST(msm_obj->sgt); + msm_obj->sgt = NULL; + return ptr; }
- msm_obj->pages = p; - /* For non-cached buffers, ensure the new pages are clean * because display controller, GPU, etc. are not coherent: */ @@ -113,7 +116,10 @@ static void put_pages(struct drm_gem_obj if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, msm_obj->sgt->nents, DMA_BIDIRECTIONAL); - sg_free_table(msm_obj->sgt); + + if (msm_obj->sgt) + sg_free_table(msm_obj->sgt); + kfree(msm_obj->sgt);
if (iommu_present(&platform_bus_type))
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Govindarajulu Varadarajan gvaradar@cisco.com
commit 322eaa06d55ebc1402a4a8d140945cff536638b4 upstream.
In commit 624dbf55a359b ("driver/net: enic: Try DMA 64 first, then failover to DMA") DMA mask was changed from 40 bits to 64 bits. Hardware actually supports only 47 bits.
Fixes: 624dbf55a359b ("driver/net: enic: Try DMA 64 first, then failover to DMA") Signed-off-by: Govindarajulu Varadarajan gvaradar@cisco.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/cisco/enic/enic_main.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/net/ethernet/cisco/enic/enic_main.c +++ b/drivers/net/ethernet/cisco/enic/enic_main.c @@ -2198,11 +2198,11 @@ static int enic_probe(struct pci_dev *pd pci_set_master(pdev);
/* Query PCI controller on system for DMA addressing - * limitation for the device. Try 64-bit first, and + * limitation for the device. Try 47-bit first, and * fail to 32-bit. */
- err = pci_set_dma_mask(pdev, DMA_BIT_MASK(64)); + err = pci_set_dma_mask(pdev, DMA_BIT_MASK(47)); if (err) { err = pci_set_dma_mask(pdev, DMA_BIT_MASK(32)); if (err) { @@ -2216,10 +2216,10 @@ static int enic_probe(struct pci_dev *pd goto err_out_release_regions; } } else { - err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64)); + err = pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(47)); if (err) { dev_err(dev, "Unable to obtain %u-bit DMA " - "for consistent allocations, aborting\n", 64); + "for consistent allocations, aborting\n", 47); goto err_out_release_regions; } using_dac = 1;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ian Kent raven@themaw.net
commit 1e6306652ba18723015d1b4967fe9de55f042499 upstream.
The autofs file system mkdir inode operation blindly sets the created directory mode to S_IFDIR | 0555, ingoring the passed in mode, which can cause selinux dac_override denials.
But the function also checks if the caller is the daemon (as no-one else should be able to do anything here) so there's no point in not honouring the passed in mode, allowing the daemon to set appropriate mode when required.
Link: http://lkml.kernel.org/r/152361593601.8051.14014139124905996173.stgit@pluto.... Signed-off-by: Ian Kent raven@themaw.net Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/autofs4/root.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/autofs4/root.c +++ b/fs/autofs4/root.c @@ -721,7 +721,7 @@ static int autofs4_dir_mkdir(struct inod
autofs4_del_active(dentry);
- inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555); + inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode); if (!inode) return -ENOMEM; d_add(dentry, inode);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Redfearn matt.redfearn@mips.com
commit b3d7e55c3f886493235bfee08e1e5a4a27cbcce8 upstream.
The micromips implementation of bzero additionally clobbers registers t7 & t8. Specify this in the clobbers list when invoking bzero.
Fixes: 26c5e07d1478 ("MIPS: microMIPS: Optimise 'memset' core library function.") Reported-by: James Hogan jhogan@kernel.org Signed-off-by: Matt Redfearn matt.redfearn@mips.com Cc: Ralf Baechle ralf@linux-mips.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/19110/ Signed-off-by: James Hogan jhogan@kernel.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/include/asm/uaccess.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
--- a/arch/mips/include/asm/uaccess.h +++ b/arch/mips/include/asm/uaccess.h @@ -1210,6 +1210,13 @@ __clear_user(void __user *addr, __kernel { __kernel_size_t res;
+#ifdef CONFIG_CPU_MICROMIPS +/* micromips memset / bzero also clobbers t7 & t8 */ +#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$15", "$24", "$31" +#else +#define bzero_clobbers "$4", "$5", "$6", __UA_t0, __UA_t1, "$31" +#endif /* CONFIG_CPU_MICROMIPS */ + if (config_enabled(CONFIG_EVA) && segment_eq(get_fs(), get_ds())) { __asm__ __volatile__( "move\t$4, %1\n\t" @@ -1219,7 +1226,7 @@ __clear_user(void __user *addr, __kernel "move\t%0, $6" : "=r" (res) : "r" (addr), "r" (size) - : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); + : bzero_clobbers); } else { might_fault(); __asm__ __volatile__( @@ -1230,7 +1237,7 @@ __clear_user(void __user *addr, __kernel "move\t%0, $6" : "=r" (res) : "r" (addr), "r" (size) - : "$4", "$5", "$6", __UA_t0, __UA_t1, "$31"); + : bzero_clobbers); }
return res;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Rosin peda@axentia.se
commit 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b upstream.
Returning -1 (-EPERM) is not appropriate here, go with -EIO.
Signed-off-by: Peter Rosin peda@axentia.se Signed-off-by: Wolfram Sang wsa@the-dreams.de Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/i2c/busses/i2c-pmcmsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-pmcmsp.c +++ b/drivers/i2c/busses/i2c-pmcmsp.c @@ -596,7 +596,7 @@ static int pmcmsptwi_master_xfer(struct * TODO: We could potentially loop and retry in the case * of MSP_TWI_XFER_TIMEOUT. */ - return -1; + return -EIO; }
return num;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Davidlohr Bueso dave@stgolabs.net
commit c5c8975b2eb4eb7604e8ce4f762987f56d2a96a2 upstream.
Upon every shm_lock call, we BUG_ON if an error was returned, indicating racing either in idr or in shm_destroy. Move this logic into the locking.
[akpm@linux-foundation.org: simplify code] Signed-off-by: Davidlohr Bueso dbueso@suse.de Cc: Manfred Spraul manfred@colorfullife.com Cc: Davidlohr Bueso dave@stgolabs.net Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- ipc/shm.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
--- a/ipc/shm.c +++ b/ipc/shm.c @@ -155,8 +155,11 @@ static inline struct shmid_kernel *shm_l { struct kern_ipc_perm *ipcp = ipc_lock(&shm_ids(ns), id);
- if (IS_ERR(ipcp)) - return (struct shmid_kernel *)ipcp; + /* + * We raced in the idr lookup or with shm_destroy(). Either way, the + * ID is busted. + */ + BUG_ON(IS_ERR(ipcp));
return container_of(ipcp, struct shmid_kernel, shm_perm); } @@ -190,7 +193,6 @@ static void shm_open(struct vm_area_stru struct shmid_kernel *shp;
shp = shm_lock(sfd->ns, sfd->id); - BUG_ON(IS_ERR(shp)); shp->shm_atim = get_seconds(); shp->shm_lprid = task_tgid_vnr(current); shp->shm_nattch++; @@ -256,7 +258,6 @@ static void shm_close(struct vm_area_str down_write(&shm_ids(ns).rwsem); /* remove from the list of attaches of the shm segment */ shp = shm_lock(ns, sfd->id); - BUG_ON(IS_ERR(shp)); shp->shm_lprid = task_tgid_vnr(current); shp->shm_dtim = get_seconds(); shp->shm_nattch--; @@ -1199,7 +1200,6 @@ out_fput: out_nattch: down_write(&shm_ids(ns).rwsem); shp = shm_lock(ns, shmid); - BUG_ON(IS_ERR(shp)); shp->shm_nattch--; if (shm_may_destroy(ns, shp)) shm_destroy(ns, shp);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen chenhc@lemote.com
commit 7bbaf27d9c83037b6e60a818e57bdbedf6bc15be upstream.
Calling __stack_chk_guard_setup() in decompress_kernel() is too late that stack checking always fails for decompress_kernel() itself. So remove __stack_chk_guard_setup() and initialize __stack_chk_guard before we call decompress_kernel().
Original code comes from ARM but also used for MIPS and SH, so fix them together. If without this fix, compressed booting of these archs will fail because stack checking is enabled by default (>=4.16).
Link: http://lkml.kernel.org/r/1522226933-29317-1-git-send-email-chenhc@lemote.com Fixes: 8779657d29c0 ("stackprotector: Introduce CONFIG_CC_STACKPROTECTOR_STRONG") Signed-off-by: Huacai Chen chenhc@lemote.com Acked-by: James Hogan jhogan@kernel.org Acked-by: Kees Cook keescook@chromium.org Acked-by: Rich Felker dalias@libc.org Cc: Ralf Baechle ralf@linux-mips.org Cc: Russell King linux@arm.linux.org.uk Cc: Yoshinori Sato ysato@users.sourceforge.jp Cc: Ingo Molnar mingo@elte.hu Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org [bwh: Backported to 3.16: Only ARM has this problem] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/arm/boot/compressed/misc.c +++ b/arch/arm/boot/compressed/misc.c @@ -127,12 +127,7 @@ asmlinkage void __div0(void) error("Attempting division by 0!"); }
-unsigned long __stack_chk_guard; - -void __stack_chk_guard_setup(void) -{ - __stack_chk_guard = 0x000a0dff; -} +const unsigned long __stack_chk_guard = 0x000a0dff;
void __stack_chk_fail(void) { @@ -149,8 +144,6 @@ decompress_kernel(unsigned long output_s { int ret;
- __stack_chk_guard_setup(); - output_data = (unsigned char *)output_start; free_mem_ptr = free_mem_ptr_p; free_mem_end_ptr = free_mem_ptr_end_p;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vasyl Vavrychuk vvavrychuk@gmail.com
commit 470b5d6f0cf4674be2d1ec94e54283a1770b6a1a upstream.
Arrow USB Blaster integrated on MAX1000 board uses the same vendor ID (0x0403) and product ID (0x6010) as the "original" FTDI device.
This patch avoids picking up by ftdi_sio of the first interface of this USB device. After that this device can be used by Arrow user-space JTAG driver.
Signed-off-by: Vasyl Vavrychuk vvavrychuk@gmail.com Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/serial/ftdi_sio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -1929,7 +1929,8 @@ static int ftdi_8u2232c_probe(struct usb return ftdi_jtag_probe(serial);
if (udev->product && - (!strcmp(udev->product, "BeagleBone/XDS100V2") || + (!strcmp(udev->product, "Arrow USB Blaster") || + !strcmp(udev->product, "BeagleBone/XDS100V2") || !strcmp(udev->product, "SNAP Connect E10"))) return ftdi_jtag_probe(serial);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: piaojun piaojun@huawei.com
commit 60c7ec9ee4a3410c2cb08850102d363c7e207f48 upstream.
Wait for dlm recovery done when migrating all lock resources in case that new lock resource left after leaving dlm domain. And the left lock resource will cause other nodes BUG.
NodeA NodeB NodeC
umount: dlm_unregister_domain() dlm_migrate_all_locks()
NodeB down
do recovery for NodeB and collect a new lockres form other live nodes:
dlm_do_recovery dlm_remaster_locks dlm_request_all_locks:
dlm_mig_lockres_handler dlm_new_lockres __dlm_insert_lockres
at last NodeA become the master of the new lockres and leave domain: dlm_leave_domain()
mount: dlm_join_domain()
touch file and request for the owner of the new lockres, but all the other nodes said 'NO', so NodeC decide to be the owner, and send do assert msg to other nodes: dlmlock() dlm_get_lock_resource() dlm_do_assert_master()
other nodes receive the msg and found two masters exist. at last cause BUG in dlm_assert_master_handler() -->BUG();
Link: http://lkml.kernel.org/r/5AAA6E25.7090303@huawei.com Fixes: bc9838c4d44a ("dlm: allow dlm do recovery during shutdown") Signed-off-by: Jun Piao piaojun@huawei.com Reviewed-by: Alex Chen alex.chen@huawei.com Reviewed-by: Yiwen Jiang jiangyiwen@huawei.com Acked-by: Joseph Qi jiangqi903@gmail.com Cc: Mark Fasheh mark@fasheh.com Cc: Joel Becker jlbec@evilplan.org Cc: Junxiao Bi junxiao.bi@oracle.com Cc: Changwei Ge ge.changwei@h3c.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/ocfs2/dlm/dlmcommon.h | 1 + fs/ocfs2/dlm/dlmdomain.c | 15 +++++++++++++++ fs/ocfs2/dlm/dlmrecovery.c | 13 ++++++++++--- 3 files changed, 26 insertions(+), 3 deletions(-)
--- a/fs/ocfs2/dlm/dlmcommon.h +++ b/fs/ocfs2/dlm/dlmcommon.h @@ -140,6 +140,7 @@ struct dlm_ctxt u8 node_num; u32 key; u8 joining_node; + u8 migrate_done; /* set to 1 means node has migrated all lock resources */ wait_queue_head_t dlm_join_events; unsigned long live_nodes_map[BITS_TO_LONGS(O2NM_MAX_NODES)]; unsigned long domain_map[BITS_TO_LONGS(O2NM_MAX_NODES)]; --- a/fs/ocfs2/dlm/dlmdomain.c +++ b/fs/ocfs2/dlm/dlmdomain.c @@ -460,6 +460,19 @@ redo_bucket: cond_resched_lock(&dlm->spinlock); num += n; } + + if (!num) { + if (dlm->reco.state & DLM_RECO_STATE_ACTIVE) { + mlog(0, "%s: perhaps there are more lock resources " + "need to be migrated after dlm recovery\n", dlm->name); + ret = -EAGAIN; + } else { + mlog(0, "%s: we won't do dlm recovery after migrating " + "all lock resources\n", dlm->name); + dlm->migrate_done = 1; + } + } + spin_unlock(&dlm->spinlock); wake_up(&dlm->dlm_thread_wq);
@@ -2063,6 +2076,8 @@ static struct dlm_ctxt *dlm_alloc_ctxt(c dlm->joining_node = DLM_LOCK_RES_OWNER_UNKNOWN; init_waitqueue_head(&dlm->dlm_join_events);
+ dlm->migrate_done = 0; + dlm->reco.new_master = O2NM_INVALID_NODE_NUM; dlm->reco.dead_node = O2NM_INVALID_NODE_NUM;
--- a/fs/ocfs2/dlm/dlmrecovery.c +++ b/fs/ocfs2/dlm/dlmrecovery.c @@ -423,12 +423,11 @@ void dlm_wait_for_recovery(struct dlm_ct
static void dlm_begin_recovery(struct dlm_ctxt *dlm) { - spin_lock(&dlm->spinlock); + assert_spin_locked(&dlm->spinlock); BUG_ON(dlm->reco.state & DLM_RECO_STATE_ACTIVE); printk(KERN_NOTICE "o2dlm: Begin recovery on domain %s for node %u\n", dlm->name, dlm->reco.dead_node); dlm->reco.state |= DLM_RECO_STATE_ACTIVE; - spin_unlock(&dlm->spinlock); }
static void dlm_end_recovery(struct dlm_ctxt *dlm) @@ -456,6 +455,13 @@ static int dlm_do_recovery(struct dlm_ct
spin_lock(&dlm->spinlock);
+ if (dlm->migrate_done) { + mlog(0, "%s: no need do recovery after migrating all " + "lock resources\n", dlm->name); + spin_unlock(&dlm->spinlock); + return 0; + } + /* check to see if the new master has died */ if (dlm->reco.new_master != O2NM_INVALID_NODE_NUM && test_bit(dlm->reco.new_master, dlm->recovery_map)) { @@ -490,12 +496,13 @@ static int dlm_do_recovery(struct dlm_ct mlog(0, "%s(%d):recovery thread found node %u in the recovery map!\n", dlm->name, task_pid_nr(dlm->dlm_reco_thread_task), dlm->reco.dead_node); - spin_unlock(&dlm->spinlock);
/* take write barrier */ /* (stops the list reshuffling thread, proxy ast handling) */ dlm_begin_recovery(dlm);
+ spin_unlock(&dlm->spinlock); + if (dlm->reco.new_master == dlm->node_num) goto master_here;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit 8cb775bc0a34dc596837e7da03fd22c747be618b upstream.
PPP devices may get automatically unregistered when their network namespace is getting removed. This happens if the ppp control plane daemon (e.g. pppd) exits while it is the last user of this namespace.
This leads to several races:
* ppp_exit_net() may destroy the per namespace idr (pn->units_idr) before all file descriptors were released. Successive ppp_release() calls may then cleanup PPP devices with ppp_shutdown_interface() and try to use the already destroyed idr.
* Automatic device unregistration may also happen before the ppp_release() call for that device gets executed. Once called on the file owning the device, ppp_release() will then clean it up and try to unregister it a second time.
To fix these issues, operations defined in ppp_shutdown_interface() are moved to the PPP device's ndo_uninit() callback. This allows PPP devices to be properly cleaned up by unregister_netdev() and friends. So checking for ppp->owner is now an accurate test to decide if a PPP device should be unregistered.
Setting ppp->owner is done in ppp_create_interface(), before device registration, in order to avoid unprotected modification of this field.
Finally, ppp_exit_net() now starts by unregistering all remaining PPP devices to ensure that none will get unregistered after the call to idr_destroy().
Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ppp/ppp_generic.c | 78 +++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 36 deletions(-)
--- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -269,9 +269,9 @@ static void ppp_ccp_peek(struct ppp *ppp static void ppp_ccp_closed(struct ppp *ppp); static struct compressor *find_compressor(int type); static void ppp_get_stats(struct ppp *ppp, struct ppp_stats *st); -static struct ppp *ppp_create_interface(struct net *net, int unit, int *retp); +static struct ppp *ppp_create_interface(struct net *net, int unit, + struct file *file, int *retp); static void init_ppp_file(struct ppp_file *pf, int kind); -static void ppp_shutdown_interface(struct ppp *ppp); static void ppp_destroy_interface(struct ppp *ppp); static struct ppp *ppp_find_unit(struct ppp_net *pn, int unit); static struct channel *ppp_find_channel(struct ppp_net *pn, int unit); @@ -392,8 +392,10 @@ static int ppp_release(struct inode *unu file->private_data = NULL; if (pf->kind == INTERFACE) { ppp = PF_TO_PPP(pf); + rtnl_lock(); if (file == ppp->owner) - ppp_shutdown_interface(ppp); + unregister_netdevice(ppp->dev); + rtnl_unlock(); } if (atomic_dec_and_test(&pf->refcnt)) { switch (pf->kind) { @@ -595,8 +597,10 @@ static long ppp_ioctl(struct file *file, err = -EINVAL; if (pf->kind == INTERFACE) { ppp = PF_TO_PPP(pf); + rtnl_lock(); if (file == ppp->owner) - ppp_shutdown_interface(ppp); + unregister_netdevice(ppp->dev); + rtnl_unlock(); } if (atomic_long_read(&file->f_count) < 2) { ppp_release(NULL, file); @@ -833,11 +837,10 @@ static int ppp_unattached_ioctl(struct n /* Create a new ppp unit */ if (get_user(unit, p)) break; - ppp = ppp_create_interface(net, unit, &err); + ppp = ppp_create_interface(net, unit, file, &err); if (!ppp) break; file->private_data = &ppp->file; - ppp->owner = file; err = -EFAULT; if (put_user(ppp->file.index, p)) break; @@ -911,6 +914,16 @@ static __net_init int ppp_init_net(struc static __net_exit void ppp_exit_net(struct net *net) { struct ppp_net *pn = net_generic(net, ppp_net_id); + struct ppp *ppp; + LIST_HEAD(list); + int id; + + rtnl_lock(); + idr_for_each_entry(&pn->units_idr, ppp, id) + unregister_netdevice_queue(ppp->dev, &list); + + unregister_netdevice_many(&list); + rtnl_unlock();
idr_destroy(&pn->units_idr); } @@ -1083,8 +1096,28 @@ static int ppp_dev_init(struct net_devic return 0; }
+static void ppp_dev_uninit(struct net_device *dev) +{ + struct ppp *ppp = netdev_priv(dev); + struct ppp_net *pn = ppp_pernet(ppp->ppp_net); + + ppp_lock(ppp); + ppp->closing = 1; + ppp_unlock(ppp); + + mutex_lock(&pn->all_ppp_mutex); + unit_put(&pn->units_idr, ppp->file.index); + mutex_unlock(&pn->all_ppp_mutex); + + ppp->owner = NULL; + + ppp->file.dead = 1; + wake_up_interruptible(&ppp->file.rwait); +} + static const struct net_device_ops ppp_netdev_ops = { .ndo_init = ppp_dev_init, + .ndo_uninit = ppp_dev_uninit, .ndo_start_xmit = ppp_start_xmit, .ndo_do_ioctl = ppp_net_ioctl, .ndo_get_stats64 = ppp_get_stats64, @@ -2662,8 +2695,8 @@ ppp_get_stats(struct ppp *ppp, struct pp * or if there is already a unit with the requested number. * unit == -1 means allocate a new number. */ -static struct ppp * -ppp_create_interface(struct net *net, int unit, int *retp) +static struct ppp *ppp_create_interface(struct net *net, int unit, + struct file *file, int *retp) { struct ppp *ppp; struct ppp_net *pn; @@ -2682,6 +2715,7 @@ ppp_create_interface(struct net *net, in ppp->mru = PPP_MRU; init_ppp_file(&ppp->file, INTERFACE); ppp->file.hdrlen = PPP_HDRLEN - 2; /* don't count proto bytes */ + ppp->owner = file; for (i = 0; i < NUM_NP; ++i) ppp->npmode[i] = NPMODE_PASS; INIT_LIST_HEAD(&ppp->channels); @@ -2770,34 +2804,6 @@ init_ppp_file(struct ppp_file *pf, int k }
/* - * Take down a ppp interface unit - called when the owning file - * (the one that created the unit) is closed or detached. - */ -static void ppp_shutdown_interface(struct ppp *ppp) -{ - struct ppp_net *pn; - - pn = ppp_pernet(ppp->ppp_net); - mutex_lock(&pn->all_ppp_mutex); - - /* This will call dev_close() for us. */ - ppp_lock(ppp); - if (!ppp->closing) { - ppp->closing = 1; - ppp_unlock(ppp); - unregister_netdev(ppp->dev); - unit_put(&pn->units_idr, ppp->file.index); - } else - ppp_unlock(ppp); - - ppp->file.dead = 1; - ppp->owner = NULL; - wake_up_interruptible(&ppp->file.rwait); - - mutex_unlock(&pn->all_ppp_mutex); -} - -/* * Free the memory used by a ppp unit. This is only called once * there are no channels connected to the unit and no file structs * that reference the unit.
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings ben@decadent.org.uk
register_netdevice() will call the device's ndo_uninit operation if registration fails after it calls the ndo_init operation. However ppp_dev_uninit() uses ppp->ppp_net which is currently not set until after register_netdevice() returns.
This was fixed upstream as part of commit 6d934c70db6e "ppp: add rtnetlink device creation support".
Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/net/ppp/ppp_generic.c +++ b/drivers/net/ppp/ppp_generic.c @@ -2732,6 +2732,7 @@ static struct ppp *ppp_create_interface(
ppp = netdev_priv(dev); ppp->dev = dev; + ppp->ppp_net = net; ppp->mru = PPP_MRU; init_ppp_file(&ppp->file, INTERFACE); ppp->file.hdrlen = PPP_HDRLEN - 2; /* don't count proto bytes */ @@ -2801,8 +2802,6 @@ static struct ppp *ppp_create_interface( goto out2; }
- ppp->ppp_net = net; - atomic_inc(&ppp_unit_count); mutex_unlock(&pn->all_ppp_mutex); rtnl_unlock();
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peng Hao peng.hao2@zte.com.cn
commit 3140c156e919b0f5fad5c5f6cf7876c39d1d4f06 upstream.
fix a "warning: no previous prototype".
Signed-off-by: Peng Hao peng.hao2@zte.com.cn Signed-off-by: Paolo Bonzini pbonzini@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/kvm/x86.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6640,7 +6640,7 @@ int kvm_task_switch(struct kvm_vcpu *vcp } EXPORT_SYMBOL_GPL(kvm_task_switch);
-int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) +static int kvm_valid_sregs(struct kvm_vcpu *vcpu, struct kvm_sregs *sregs) { if ((sregs->efer & EFER_LME) && (sregs->cr0 & X86_CR0_PG)) { /*
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.ibm.com
commit 2e68adcd2fb21b7188ba449f0fab3bee2910e500 upstream.
Calling qdio_release_memory() on error is just plain wrong. It frees the main qdio_irq struct, when following code still uses it.
Also, no other error path in qdio_establish() does this. So trust callers to clean up via qdio_free() if some step of the QDIO initialization fails.
Fixes: 779e6e1c724d ("[S390] qdio: new qdio driver.") Signed-off-by: Julian Wiedmann jwi@linux.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/cio/qdio_setup.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-)
--- a/drivers/s390/cio/qdio_setup.c +++ b/drivers/s390/cio/qdio_setup.c @@ -406,7 +406,6 @@ int qdio_setup_irq(struct qdio_initializ { struct ciw *ciw; struct qdio_irq *irq_ptr = init_data->cdev->private->qdio_data; - int rc;
memset(&irq_ptr->qib, 0, sizeof(irq_ptr->qib)); memset(&irq_ptr->siga_flag, 0, sizeof(irq_ptr->siga_flag)); @@ -443,16 +442,14 @@ int qdio_setup_irq(struct qdio_initializ ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_EQUEUE); if (!ciw) { DBF_ERROR("%4x NO EQ", irq_ptr->schid.sch_no); - rc = -EINVAL; - goto out_err; + return -EINVAL; } irq_ptr->equeue = *ciw;
ciw = ccw_device_get_ciw(init_data->cdev, CIW_TYPE_AQUEUE); if (!ciw) { DBF_ERROR("%4x NO AQ", irq_ptr->schid.sch_no); - rc = -EINVAL; - goto out_err; + return -EINVAL; } irq_ptr->aqueue = *ciw;
@@ -460,9 +457,6 @@ int qdio_setup_irq(struct qdio_initializ irq_ptr->orig_handler = init_data->cdev->handler; init_data->cdev->handler = qdio_int_handler; return 0; -out_err: - qdio_release_memory(irq_ptr); - return rc; }
void qdio_print_subchannel_info(struct qdio_irq *irq_ptr,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu mhiramat@kernel.org
commit 50268a3d266ecfdd6c5873d62b2758d9732fc598 upstream.
Fix string fetch function to terminate with NUL. It is OK to drop the rest of string.
Signed-off-by: Masami Hiramatsu mhiramat@kernel.org Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Song Liu songliubraving@fb.com Cc: Thomas Gleixner tglx@linutronix.de Cc: security@kernel.org Cc: 范龙飞 long7573@126.com Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes") Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/trace/trace_uprobe.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/kernel/trace/trace_uprobe.c +++ b/kernel/trace/trace_uprobe.c @@ -149,6 +149,8 @@ static void FETCH_FUNC_NAME(memory, stri return;
ret = strncpy_from_user(dst, src, maxlen); + if (ret == maxlen) + dst[--ret] = '\0';
if (ret < 0) { /* Failed to fetch string */ ((u8 *)get_rloc_data(dest))[0] = '\0';
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman mpe@ellerman.id.au
commit b8858581febb050688e276b956796bc4a78299ed upstream.
When we patch an alternate feature section, we have to adjust any relative branches that branch out of the alternate section.
But currently we have a bug if we have a branch that points to past the last instruction of the alternate section, eg:
FTR_SECTION_ELSE 1: b 2f or 6,6,6 2: ALT_FTR_SECTION_END(...) nop
This will result in a relative branch at 1 with a target that equals the end of the alternate section.
That branch does not need adjusting when it's moved to the non-else location. Currently we do adjust it, resulting in a branch that goes off into the link-time location of the else section, which is junk.
The fix is to not patch branches that have a target == end of the alternate section.
Fixes: d20fe50a7b3c ("KVM: PPC: Book3S HV: Branch inside feature section") Fixes: 9b1a735de64c ("powerpc: Add logic to patch alternative feature sections") Signed-off-by: Michael Ellerman mpe@ellerman.id.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/powerpc/lib/feature-fixups.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/lib/feature-fixups.c +++ b/arch/powerpc/lib/feature-fixups.c @@ -52,7 +52,7 @@ static int patch_alt_instruction(unsigne unsigned int *target = (unsigned int *)branch_target(src);
/* Branch within the section doesn't need translating */ - if (target < alt_start || target >= alt_end) { + if (target < alt_start || target > alt_end) { instr = translate_branch(dest, src); if (!instr) return 1;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.ibm.com
commit e521813468f786271a87e78e8644243bead48fad upstream.
Ever since CQ/QAOB support was added, calling qdio_free() straight after qdio_alloc() results in qdio_release_memory() accessing uninitialized memory (ie. q->u.out.use_cq and q->u.out.aobs). Followed by a kmem_cache_free() on the random AOB addresses.
For older kernels that don't have 6e30c549f6ca, the same applies if qdio_establish() fails in the DEV_STATE_ONLINE check.
While initializing q->u.out.use_cq would be enough to fix this particular bug, the more future-proof change is to just zero-alloc the whole struct.
Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") Signed-off-by: Julian Wiedmann jwi@linux.ibm.com Signed-off-by: Martin Schwidefsky schwidefsky@de.ibm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/cio/qdio_setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/s390/cio/qdio_setup.c +++ b/drivers/s390/cio/qdio_setup.c @@ -90,7 +90,7 @@ static int __qdio_allocate_qs(struct qdi int i;
for (i = 0; i < nr_queues; i++) { - q = kmem_cache_alloc(qdio_q_cache, GFP_KERNEL); + q = kmem_cache_zalloc(qdio_q_cache, GFP_KERNEL); if (!q) return -ENOMEM;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" gustavo@embeddedor.com
commit 2be147f7459db5bbf292e0a6f135037b55e20b39 upstream.
pool can be indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/atm/zatm.c:1462 zatm_ioctl() warn: potential spectre issue 'zatm_dev->pool_info' (local cap)
Fix this by sanitizing pool before using it to index zatm_dev->pool_info
Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Signed-off-by: Gustavo A. R. Silva gustavo@embeddedor.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/atm/zatm.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/atm/zatm.c +++ b/drivers/atm/zatm.c @@ -28,6 +28,7 @@ #include <asm/io.h> #include <linux/atomic.h> #include <asm/uaccess.h> +#include <linux/nospec.h>
#include "uPD98401.h" #include "uPD98402.h" @@ -1455,6 +1456,8 @@ static int zatm_ioctl(struct atm_dev *de return -EFAULT; if (pool < 0 || pool > ZATM_LAST_POOL) return -EINVAL; + pool = array_index_nospec(pool, + ZATM_LAST_POOL + 1); spin_lock_irqsave(&zatm_dev->lock, flags); info = zatm_dev->pool_info[pool]; if (cmd == ZATM_GETPOOLZ) {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Piggin npiggin@gmail.com
commit 3b8070335f751aac9f1526ae2e012e6f5b8b0f21 upstream.
The OPAL NVRAM driver does not sleep in case it gets OPAL_BUSY or OPAL_BUSY_EVENT from firmware, which causes large scheduling latencies, and various lockup errors to trigger (again, BMC reboot can cause it).
Fix this by converting it to the standard form OPAL_BUSY loop that sleeps.
Fixes: 628daa8d5abf ("powerpc/powernv: Add RTC and NVRAM support plus RTAS fallbacks") Depends-on: 34dd25de9fe3 ("powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops") Signed-off-by: Nicholas Piggin npiggin@gmail.com Signed-off-by: Michael Ellerman mpe@ellerman.id.au Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/powerpc/platforms/powernv/opal-nvram.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/powerpc/platforms/powernv/opal-nvram.c +++ b/arch/powerpc/platforms/powernv/opal-nvram.c @@ -11,6 +11,7 @@
#define DEBUG
+#include <linux/delay.h> #include <linux/kernel.h> #include <linux/init.h> #include <linux/of.h> @@ -55,8 +56,12 @@ static ssize_t opal_nvram_write(char *bu
while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { rc = opal_write_nvram(__pa(buf), count, off); - if (rc == OPAL_BUSY_EVENT) + if (rc == OPAL_BUSY_EVENT) { + msleep(OPAL_BUSY_DELAY_MS); opal_poll_events(NULL); + } else if (rc == OPAL_BUSY) { + msleep(OPAL_BUSY_DELAY_MS); + } }
if (rc)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit 60bb83b81169820c691fbfa33a6a4aef32aa4b0b upstream.
We've got a bug report indicating a kernel panic at booting on an x86-32 system, and it turned out to be the invalid PCI resource assigned after reallocation. __find_resource() first aligns the resource start address and resets the end address with start+size-1 accordingly, then checks whether it's contained. Here the end address may overflow the integer, although resource_contains() still returns true because the function validates only start and end address. So this ends up with returning an invalid resource (start > end).
There was already an attempt to cover such a problem in the commit 47ea91b4052d ("Resource: fix wrong resource window calculation"), but this case is an overseen one.
This patch adds the validity check of the newly calculated resource for avoiding the integer overflow problem.
Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 Link: http://lkml.kernel.org/r/s5hpo37d5l8.wl-tiwai@suse.de Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") Signed-off-by: Takashi Iwai tiwai@suse.de Reported-by: Michael Henders hendersm@shaw.ca Tested-by: Michael Henders hendersm@shaw.ca Reviewed-by: Andrew Morton akpm@linux-foundation.org Cc: Ram Pai linuxram@us.ibm.com Cc: Bjorn Helgaas bhelgaas@google.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/resource.c +++ b/kernel/resource.c @@ -474,7 +474,8 @@ static int __find_resource(struct resour alloc.start = constraint->alignf(constraint->alignf_data, &avail, size, constraint->align); alloc.end = alloc.start + size - 1; - if (resource_contains(&avail, &alloc)) { + if (alloc.start <= alloc.end && + resource_contains(&avail, &alloc)) { new->start = alloc.start; new->end = alloc.end; return 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit 569ccae68b38654f04b6842b034aa33857f605fe upstream.
rules in nftables a free'd using kfree, but protected by rcu, i.e. we must wait for a grace period to elapse.
Normal removal patch does this, but nf_tables_newrule() doesn't obey this rule during error handling.
It calls nft_trans_rule_add() *after* linking rule, and, if that fails to allocate memory, it unlinks the rule and then kfree() it -- this is unsafe.
Switch order -- first add rule to transaction list, THEN link it to public list.
Note: nft_trans_rule_add() uses GFP_KERNEL; it will not fail so this is not a problem in practice (spotted only during code review).
Fixes: 0628b123c96d12 ("netfilter: nfnetlink: add batch support and use it from nf_tables") Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org [bwh: Backported to 3.16: Some function names are different] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/netfilter/nf_tables_api.c | 59 +++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 27 deletions(-)
--- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -1829,41 +1829,46 @@ static int nf_tables_newrule(struct sock }
if (nlh->nlmsg_flags & NLM_F_REPLACE) { - if (nft_rule_is_active_next(net, old_rule)) { - trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, - old_rule); - if (trans == NULL) { - err = -ENOMEM; - goto err2; - } - nft_rule_disactivate_next(net, old_rule); - chain->use--; - list_add_tail_rcu(&rule->list, &old_rule->list); - } else { + if (!nft_rule_is_active_next(net, old_rule)) { err = -ENOENT; goto err2; } - } else if (nlh->nlmsg_flags & NLM_F_APPEND) - if (old_rule) - list_add_rcu(&rule->list, &old_rule->list); - else - list_add_tail_rcu(&rule->list, &chain->rules); - else { - if (old_rule) - list_add_tail_rcu(&rule->list, &old_rule->list); - else - list_add_rcu(&rule->list, &chain->rules); - } + trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE, + old_rule); + if (trans == NULL) { + err = -ENOMEM; + goto err2; + } + nft_rule_disactivate_next(net, old_rule); + chain->use--; + + if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { + err = -ENOMEM; + goto err2; + }
- if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { - err = -ENOMEM; - goto err3; + list_add_tail_rcu(&rule->list, &old_rule->list); + } else { + if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) { + err = -ENOMEM; + goto err2; + } + + if (nlh->nlmsg_flags & NLM_F_APPEND) { + if (old_rule) + list_add_rcu(&rule->list, &old_rule->list); + else + list_add_tail_rcu(&rule->list, &chain->rules); + } else { + if (old_rule) + list_add_tail_rcu(&rule->list, &old_rule->list); + else + list_add_rcu(&rule->list, &chain->rules); + } } chain->use++; return 0;
-err3: - list_del_rcu(&rule->list); err2: nf_tables_rule_destroy(&ctx, rule); err1:
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit aa8f8778493c85fff480cdf8b349b1e1dcb5f243 upstream.
KMSAN reported use of uninit-value that I tracked to lack of proper size check on RTA_TABLE attribute.
I also believe RTA_PREFSRC lacks a similar check.
Fixes: 86872cb57925 ("[IPv6] route: FIB6 configuration using struct fib6_config") Fixes: c3968a857a6b ("ipv6: RTA_PREFSRC support for ipv6 route source address selection") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: syzbot syzkaller@googlegroups.com Acked-by: David Ahern dsahern@gmail.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/ipv6/route.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -2344,11 +2344,13 @@ void rt6_mtu_change(struct net_device *d
static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = { [RTA_GATEWAY] = { .len = sizeof(struct in6_addr) }, + [RTA_PREFSRC] = { .len = sizeof(struct in6_addr) }, [RTA_OIF] = { .type = NLA_U32 }, [RTA_IIF] = { .type = NLA_U32 }, [RTA_PRIORITY] = { .type = NLA_U32 }, [RTA_METRICS] = { .type = NLA_NESTED }, [RTA_MULTIPATH] = { .len = sizeof(struct rtnexthop) }, + [RTA_TABLE] = { .type = NLA_U32 }, };
static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Richard Weinberger richard@nod.at
commit b5094b7f135be34630e3ea8a98fa215715d0f29d upstream.
While UBI and UBIFS seem to work at first sight with MLC NAND, you will most likely lose all your data upon a power-cut or due to read/write disturb. In order to protect users from bad surprises, refuse to attach to MLC NAND.
Signed-off-by: Richard Weinberger richard@nod.at Acked-by: Boris Brezillon boris.brezillon@bootlin.com Acked-by: Artem Bityutskiy dedekind1@gmail.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mtd/ubi/build.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
--- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -905,6 +905,17 @@ int ubi_attach_mtd_dev(struct mtd_info * return -EINVAL; }
+ /* + * Both UBI and UBIFS have been designed for SLC NAND and NOR flashes. + * MLC NAND is different and needs special care, otherwise UBI or UBIFS + * will die soon and you will lose all your data. + */ + if (mtd->type == MTD_MLCNANDFLASH) { + pr_err("ubi: refuse attaching mtd%d - MLC NAND is not supported\n", + mtd->index); + return -EINVAL; + } + if (ubi_num == UBI_DEV_NUM_AUTO) { /* Search for an empty slot in the @ubi_devices array */ for (ubi_num = 0; ubi_num < UBI_MAX_DEVICES; ubi_num++)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liu Bo bo.liu@linux.alibaba.com
commit 80c0b4210a963e31529e15bf90519708ec947596 upstream.
0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is returned, path->nodes[0] could be NULL, log_dir_items lacks such a check for <0 and we may run into a null pointer dereference panic.
Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") Reviewed-by: Nikolay Borisov nborisov@suse.com Signed-off-by: Liu Bo bo.liu@linux.alibaba.com Signed-off-by: David Sterba dsterba@suse.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/btrfs/tree-log.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -3082,8 +3082,11 @@ static noinline int log_dir_items(struct * from this directory and from this transaction */ ret = btrfs_next_leaf(root, path); - if (ret == 1) { - last_offset = (u64)-1; + if (ret) { + if (ret == 1) + last_offset = (u64)-1; + else + err = ret; goto done; } btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen nicoleotsuka@gmail.com
commit c656941df9bc80f7ec65b92ca73c42f8b0b62628 upstream.
When the desired ratio is less than 256, the savesub (tolerance) in the calculation would become 0. This will then fail the loop- search immediately without reporting any errors.
But if the ratio is smaller enough, there is no need to calculate the tolerance because PM divisor alone is enough to get the ratio.
So a simple fix could be just to set PM directly instead of going into the loop-search.
Reported-by: Marek Vasut marex@denx.de Signed-off-by: Nicolin Chen nicoleotsuka@gmail.com Tested-by: Marek Vasut marex@denx.de Reviewed-by: Fabio Estevam fabio.estevam@nxp.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/soc/fsl/fsl_esai.c | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/sound/soc/fsl/fsl_esai.c +++ b/sound/soc/fsl/fsl_esai.c @@ -142,6 +142,13 @@ static int fsl_esai_divisor_cal(struct s
psr = ratio <= 256 * maxfp ? ESAI_xCCR_xPSR_BYPASS : ESAI_xCCR_xPSR_DIV8;
+ /* Do not loop-search if PM (1 ~ 256) alone can serve the ratio */ + if (ratio <= 256) { + pm = ratio; + fp = 1; + goto out; + } + /* Set the max fluctuation -- 0.1% of the max devisor */ savesub = (psr ? 1 : 8) * 256 * maxfp / 1000;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o tytso@mit.edu
commit 54dd0e0a1b255f115f8647fc6fb93273251b01b9 upstream.
Add explicit checks in ext4_xattr_block_get() just in case the e_value_offs and e_value_size fields in the the xattr block are corrupted in memory after the buffer_verified bit is set on the xattr block.
Signed-off-by: Theodore Ts'o tytso@mit.edu [bwh: Backported to 3.16: - Drop change to ext4_xattr_check_entries() which is only needed for the xattr-in-inode case - Adjust context, indentation] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -327,12 +327,18 @@ bad_block: if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size); + error = -ERANGE; + if (unlikely(size > EXT4_XATTR_SIZE_MAX)) + goto cleanup; if (buffer) { - error = -ERANGE; + u16 offset = le16_to_cpu(entry->e_value_offs); + void *p = bh->b_data + offset; + if (size > buffer_size) goto cleanup; - memcpy(buffer, bh->b_data + le16_to_cpu(entry->e_value_offs), - size); + if (unlikely(p + size > end)) + goto cleanup; + memcpy(buffer, p, size); } error = size;
@@ -370,12 +376,18 @@ ext4_xattr_ibody_get(struct inode *inode if (error) goto cleanup; size = le32_to_cpu(entry->e_value_size); + error = -ERANGE; + if (unlikely(size > EXT4_XATTR_SIZE_MAX)) + goto cleanup; if (buffer) { - error = -ERANGE; + u16 offset = le16_to_cpu(entry->e_value_offs); + void *p = (void *)IFIRST(header) + offset; + if (size > buffer_size) goto cleanup; - memcpy(buffer, (void *)IFIRST(header) + - le16_to_cpu(entry->e_value_offs), size); + if (unlikely(p + size > end)) + goto cleanup; + memcpy(buffer, p, size); } error = size;
--- a/fs/ext4/xattr.h +++ b/fs/ext4/xattr.h @@ -67,6 +67,17 @@ struct ext4_xattr_entry { EXT4_I(inode)->i_extra_isize)) #define IFIRST(hdr) ((struct ext4_xattr_entry *)((hdr)+1))
+/* + * XATTR_SIZE_MAX is currently 64k, but for the purposes of checking + * for file system consistency errors, we use a somewhat bigger value. + * This allows XATTR_SIZE_MAX to grow in the future, but by using this + * instead of INT_MAX for certain consistency checks, we don't need to + * worry about arithmetic overflows. (Actually XATTR_SIZE_MAX is + * defined in include/uapi/linux/limits.h, so changing it is going + * not going to be trivial....) + */ +#define EXT4_XATTR_SIZE_MAX (1 << 24) + #define BHDR(bh) ((struct ext4_xattr_header *)((bh)->b_data)) #define ENTRY(ptr) ((struct ext4_xattr_entry *)(ptr)) #define BFIRST(bh) ENTRY(BHDR(bh)+1)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel ard.biesheuvel@linaro.org
commit 0b3225ab9407f557a8e20f23f37aa7236c10a9b1 upstream.
Mixed mode allows a kernel built for x86_64 to interact with 32-bit EFI firmware, but requires us to define all struct definitions carefully when it comes to pointer sizes.
'struct efi_pci_io_protocol_32' currently uses a 'void *' for the 'romimage' field, which will be interpreted as a 64-bit field on such kernels, potentially resulting in bogus memory references and subsequent crashes.
Tested-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Ard Biesheuvel ard.biesheuvel@linaro.org Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Matt Fleming matt@codeblueprint.co.uk Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20180504060003.19618-13-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/boot/compressed/eboot.c | 6 ++++-- include/linux/efi.h | 8 ++++---- 2 files changed, 8 insertions(+), 6 deletions(-)
--- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -358,7 +358,8 @@ __setup_efi_pci32(efi_pci_io_protocol_32 if (status != EFI_SUCCESS) goto free_struct;
- memcpy(rom->romdata, pci->romimage, pci->romsize); + memcpy(rom->romdata, (void *)(unsigned long)pci->romimage, + pci->romsize); return status;
free_struct: @@ -460,7 +461,8 @@ __setup_efi_pci64(efi_pci_io_protocol_64 if (status != EFI_SUCCESS) goto free_struct;
- memcpy(rom->romdata, pci->romimage, pci->romsize); + memcpy(rom->romdata, (void *)(unsigned long)pci->romimage, + pci->romsize); return status;
free_struct: --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -368,8 +368,8 @@ typedef struct { u32 attributes; u32 get_bar_attributes; u32 set_bar_attributes; - uint64_t romsize; - void *romimage; + u64 romsize; + u32 romimage; } efi_pci_io_protocol_32;
typedef struct { @@ -388,8 +388,8 @@ typedef struct { u64 attributes; u64 get_bar_attributes; u64 set_bar_attributes; - uint64_t romsize; - void *romimage; + u64 romsize; + u64 romimage; } efi_pci_io_protocol_64;
typedef struct {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Gustavo A. R. Silva" gustavo@embeddedor.com
commit 23d6aef74da86a33fa6bb75f79565e0a16ee97c2 upstream.
`resource' can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap)
Fix this by sanitizing *resource* before using it to index current->signal->rlim
Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.com Signed-off-by: Gustavo A. R. Silva gustavo@embeddedor.com Reviewed-by: Andrew Morton akpm@linux-foundation.org Cc: Alexei Starovoitov ast@kernel.org Cc: Dan Williams dan.j.williams@intel.com Cc: Thomas Gleixner tglx@linutronix.de Cc: Peter Zijlstra peterz@infradead.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org [bwh: Backported to 3.16: - Drop changes to compat implementation, which is a wrapper for the regular implementation here - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/kernel/sys.c +++ b/kernel/sys.c @@ -63,6 +63,9 @@ #include <asm/io.h> #include <asm/unistd.h>
+/* Hardening for Spectre-v1 */ +#include <linux/nospec.h> + #ifndef SET_UNALIGN_CTL # define SET_UNALIGN_CTL(a,b) (-EINVAL) #endif @@ -1294,6 +1297,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned if (resource >= RLIM_NLIMITS) return -EINVAL;
+ resource = array_index_nospec(resource, RLIM_NLIMITS); task_lock(current->group_leader); x = current->signal->rlim[resource]; task_unlock(current->group_leader);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dichtel nicolas.dichtel@6wind.com
commit 82612de1c98e610d194e34178bde3cca7dedce41 upstream.
After commit f6cc9c054e77, the following conf is broken (note that the default loopback mtu is 65536, ie IP_MAX_MTU + 1):
$ ip tunnel add gre1 mode gre local 10.125.0.1 remote 10.125.0.2 dev lo add tunnel "gre0" failed: Invalid argument $ ip l a type dummy $ ip l s dummy1 up $ ip l s dummy1 mtu 65535 $ ip tunnel add gre1 mode gre local 10.125.0.1 remote 10.125.0.2 dev dummy1 add tunnel "gre0" failed: Invalid argument
dev_set_mtu() doesn't allow to set a mtu which is too large. First, let's cap the mtu returned by ip_tunnel_bind_dev(). Second, remove the magic value 0xFFF8 and use IP_MAX_MTU instead. 0xFFF8 seems to be there for ages, I don't know why this value was used.
With a recent kernel, it's also possible to set a mtu > IP_MAX_MTU: $ ip l s dummy1 mtu 66000 After that patch, it's also possible to bind an ip tunnel on that kind of interface.
CC: Petr Machata petrm@mellanox.com CC: Ido Schimmel idosch@mellanox.com Link: https://git.kernel.org/pub/scm/linux/kernel/git/davem/netdev-vger-cvs.git/co... Fixes: f6cc9c054e77 ("ip_tunnel: Emit events for post-register MTU changes") Signed-off-by: Nicolas Dichtel nicolas.dichtel@6wind.com Reviewed-by: Ido Schimmel idosch@mellanox.com Signed-off-by: David S. Miller davem@davemloft.net [bwh: Backported to 3.16: - Drop change in ip_tunnel_create() - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -387,7 +387,7 @@ static int ip_tunnel_bind_dev(struct net
if (tdev) { hlen = tdev->hard_header_len + tdev->needed_headroom; - mtu = tdev->mtu; + mtu = min(tdev->mtu, IP_MAX_MTU); } dev->iflink = tunnel->parms.link;
@@ -851,7 +851,7 @@ int ip_tunnel_change_mtu(struct net_devi int t_hlen = tunnel->hlen + sizeof(struct iphdr);
if (new_mtu < 68 || - new_mtu > 0xFFF8 - dev->hard_header_len - t_hlen) + new_mtu > IP_MAX_MTU - dev->hard_header_len - t_hlen) return -EINVAL; dev->mtu = new_mtu; return 0; @@ -979,7 +979,7 @@ int ip_tunnel_newlink(struct net_device
mtu = ip_tunnel_bind_dev(dev); if (tb[IFLA_MTU]) { - unsigned int max = 0xfff8 - dev->hard_header_len - nt->hlen; + unsigned int max = IP_MAX_MTU - dev->hard_header_len - nt->hlen;
mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU, (unsigned int)(max - sizeof(struct iphdr)));
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Morgenstein jackm@dev.mellanox.co.il
commit d546b67cda015fb92bfee93d5dc0ceadb91deaee upstream.
spin_lock/unlock was used instead of spin_un/lock_irq in a procedure used in process space, on a spinlock which can be grabbed in an interrupt.
This caused the stack trace below to be displayed (on kernel 4.17.0-rc1 compiled with Lock Debugging enabled):
[ 154.661474] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected [ 154.668909] 4.17.0-rc1-rdma_rc_mlx+ #3 Tainted: G I [ 154.675856] ----------------------------------------------------- [ 154.682706] modprobe/10159 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: [ 154.690254] 00000000f3b0e495 (&(&qp_table->lock)->rlock){+.+.}, at: mlx4_qp_remove+0x20/0x50 [mlx4_core] [ 154.700927] and this task is already holding: [ 154.707461] 0000000094373b5d (&(&cq->lock)->rlock/1){....}, at: destroy_qp_common+0x111/0x560 [mlx4_ib] [ 154.718028] which would create a new lock dependency: [ 154.723705] (&(&cq->lock)->rlock/1){....} -> (&(&qp_table->lock)->rlock){+.+.} [ 154.731922] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 154.740798] (&(&cq->lock)->rlock){..-.} [ 154.740800] ... which became SOFTIRQ-irq-safe at: [ 154.752163] _raw_spin_lock_irqsave+0x3e/0x50 [ 154.757163] mlx4_ib_poll_cq+0x36/0x900 [mlx4_ib] [ 154.762554] ipoib_tx_poll+0x4a/0xf0 [ib_ipoib] ... to a SOFTIRQ-irq-unsafe lock: [ 154.815603] (&(&qp_table->lock)->rlock){+.+.} [ 154.815604] ... which became SOFTIRQ-irq-unsafe at: [ 154.827718] ... [ 154.827720] _raw_spin_lock+0x35/0x50 [ 154.833912] mlx4_qp_lookup+0x1e/0x50 [mlx4_core] [ 154.839302] mlx4_flow_attach+0x3f/0x3d0 [mlx4_core]
Since mlx4_qp_lookup() is called only in process space, we can simply replace the spin_un/lock calls with spin_un/lock_irq calls.
Fixes: 6dc06c08bef1 ("net/mlx4: Fix the check in attaching steering rules") Signed-off-by: Jack Morgenstein jackm@dev.mellanox.co.il Signed-off-by: Tariq Toukan tariqt@mellanox.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/mellanox/mlx4/qp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/qp.c +++ b/drivers/net/ethernet/mellanox/mlx4/qp.c @@ -363,11 +363,11 @@ struct mlx4_qp *mlx4_qp_lookup(struct ml struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table; struct mlx4_qp *qp;
- spin_lock(&qp_table->lock); + spin_lock_irq(&qp_table->lock);
qp = __mlx4_qp_lookup(dev, qpn);
- spin_unlock(&qp_table->lock); + spin_unlock_irq(&qp_table->lock); return qp; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Steven Rostedt (VMware)" rostedt@goodmis.org
commit 45dd9b0666a162f8e4be76096716670cf1741f0e upstream.
Doing an audit of trace events, I discovered two trace events in the xen subsystem that use a hack to create zero data size trace events. This is not what trace events are for. Trace events add memory footprint overhead, and if all you need to do is see if a function is hit or not, simply make that function noinline and use function tracer filtering.
Worse yet, the hack used was:
__array(char, x, 0)
Which creates a static string of zero in length. There's assumptions about such constructs in ftrace that this is a dynamic string that is nul terminated. This is not the case with these tracepoints and can cause problems in various parts of ftrace.
Nuke the trace events!
Link: http://lkml.kernel.org/r/20180509144605.5a220327@gandalf.local.home
Fixes: 95a7d76897c1e ("xen/mmu: Use Xen specific TLB flush instead of the generic one.") Reviewed-by: Juergen Gross jgross@suse.com Signed-off-by: Steven Rostedt (VMware) rostedt@goodmis.org [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/x86/xen/mmu.c +++ b/arch/x86/xen/mmu.c @@ -1283,8 +1283,6 @@ void xen_flush_tlb_all(void) struct mmuext_op *op; struct multicall_space mcs;
- trace_xen_mmu_flush_tlb_all(0); - preempt_disable();
mcs = xen_mc_entry(sizeof(*op)); @@ -1297,13 +1295,11 @@ void xen_flush_tlb_all(void)
preempt_enable(); } -static void xen_flush_tlb(void) +static noinline void xen_flush_tlb(void) { struct mmuext_op *op; struct multicall_space mcs;
- trace_xen_mmu_flush_tlb(0); - preempt_disable();
mcs = xen_mc_entry(sizeof(*op)); --- a/include/trace/events/xen.h +++ b/include/trace/events/xen.h @@ -377,22 +377,6 @@ DECLARE_EVENT_CLASS(xen_mmu_pgd, DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_pin); DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_unpin);
-TRACE_EVENT(xen_mmu_flush_tlb_all, - TP_PROTO(int x), - TP_ARGS(x), - TP_STRUCT__entry(__array(char, x, 0)), - TP_fast_assign((void)x), - TP_printk("%s", "") - ); - -TRACE_EVENT(xen_mmu_flush_tlb, - TP_PROTO(int x), - TP_ARGS(x), - TP_STRUCT__entry(__array(char, x, 0)), - TP_fast_assign((void)x), - TP_printk("%s", "") - ); - TRACE_EVENT(xen_mmu_flush_tlb_single, TP_PROTO(unsigned long addr), TP_ARGS(addr),
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Safonov dsafonov@virtuozzo.com
commit 5ba8a4a96f6eaa6af88e24c7794f142217aa3b6f upstream.
It's useless. Before: [tracing]# echo 'p:test /a:0x0' >> uprobe_events [tracing]# echo 'p:test a:0x0' >> uprobe_events -bash: echo: write error: No such file or directory [tracing]# echo 'p:test 1:0x0' >> uprobe_events -bash: echo: write error: Invalid argument
After: [tracing]# echo 'p:test 1:0x0' >> uprobe_events -bash: echo: write error: No such file or directory
Link: http://lkml.kernel.org/r/20160825152110.25663-3-dsafonov@virtuozzo.com
Acked-by: Srikar Dronamraju srikar@linux.vnet.ibm.com Acked-by: Oleg Nesterov oleg@redhat.com Signed-off-by: Dmitry Safonov dsafonov@virtuozzo.com Signed-off-by: Steven Rostedt rostedt@goodmis.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/trace/trace_uprobe.c | 4 ---- 1 file changed, 4 deletions(-)
--- a/kernel/trace/trace_uprobe.c +++ b/kernel/trace/trace_uprobe.c @@ -430,10 +430,6 @@ static int create_trace_uprobe(int argc, pr_info("Probe point is not specified.\n"); return -EINVAL; } - if (isdigit(argv[1][0])) { - pr_info("probe point must be have a filename.\n"); - return -EINVAL; - } arg = strchr(argv[1], ':'); if (!arg) { ret = -EINVAL;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky leonro@mellanox.com
commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream.
Ensure that user didn't supply values too large that can cause overflow.
UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23 shift exponent -2147483648 is negative CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call Trace: dump_stack+0xde/0x164 ubsan_epilogue+0xe/0x81 set_rq_size+0x7c2/0xa90 create_qp_common+0xc18/0x43c0 mlx5_ib_create_qp+0x379/0x1ca0 create_qp.isra.5+0xc94/0x2260 ib_uverbs_create_qp+0x21b/0x2a0 ib_uverbs_write+0xc2c/0x1010 vfs_write+0x1b0/0x550 SyS_write+0xc7/0x1a0 do_syscall_64+0x1aa/0x740 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x433569 RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569 RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003 RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8 R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000 R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Cc: syzkaller syzkaller@googlegroups.com Reported-by: Noa Osherovich noaos@mellanox.com Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Doug Ledford dledford@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/hw/mlx5/qp.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -174,7 +174,11 @@ static int set_rq_size(struct mlx5_ib_de } else { if (ucmd) { qp->rq.wqe_cnt = ucmd->rq_wqe_count; + if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift)) + return -EINVAL; qp->rq.wqe_shift = ucmd->rq_wqe_shift; + if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig) + return -EINVAL; qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig; qp->rq.max_post = qp->rq.wqe_cnt; } else {
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Danit Goldberg danitg@mellanox.com
commit 4f32ac2e452c2180cd2df581cbadac183e27ecd0 upstream.
Before the change, if the user passed a static rate value different than zero and the FW doesn't support static rate, it would end up configuring rate of 2.5 GBps.
Fix this by using rate 0; unlimited, in cases where FW doesn't support static rate configuration.
Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Reviewed-by: Majd Dibbiny majd@mellanox.com Signed-off-by: Danit Goldberg danitg@mellanox.com Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Doug Ledford dledford@redhat.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/hw/mlx5/qp.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -1285,18 +1285,18 @@ enum {
static int ib_rate_to_mlx5(struct mlx5_ib_dev *dev, u8 rate) { - if (rate == IB_RATE_PORT_CURRENT) { + if (rate == IB_RATE_PORT_CURRENT) return 0; - } else if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) { + + if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) return -EINVAL; - } else { - while (rate != IB_RATE_2_5_GBPS && - !(1 << (rate + MLX5_STAT_RATE_OFFSET) & - dev->mdev.caps.stat_rate_support)) - --rate; - }
- return rate + MLX5_STAT_RATE_OFFSET; + while (rate != IB_RATE_PORT_CURRENT && + !(1 << (rate + MLX5_STAT_RATE_OFFSET) & + dev->mdev.caps.stat_rate_support)) + --rate; + + return rate ? rate + MLX5_STAT_RATE_OFFSET : rate; }
static int mlx5_set_path(struct mlx5_ib_dev *dev, const struct ib_ah_attr *ah,
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter dan.carpenter@oracle.com
commit 8005b09d99fac78e6f5fb9da30b5ae94840af03b upstream.
The current error handling code has an issue where it does:
if (priv->txchan) cpdma_chan_destroy(priv->txchan);
The problem is that ->txchan is either valid or an error pointer (which would lead to an Oops). I've changed it to use multiple error labels so that the test can be removed.
Also there were some missing calls to netif_napi_del().
Fixes: 3ef0fdb2342c ("net: davinci_emac: switch to new cpdma layer") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/ti/davinci_emac.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-)
--- a/drivers/net/ethernet/ti/davinci_emac.c +++ b/drivers/net/ethernet/ti/davinci_emac.c @@ -1971,7 +1971,7 @@ static int davinci_emac_probe(struct pla if (IS_ERR(priv->txchan)) { dev_err(&pdev->dev, "error initializing tx dma channel\n"); rc = PTR_ERR(priv->txchan); - goto no_cpdma_chan; + goto err_free_dma; }
priv->rxchan = cpdma_chan_create(priv->dma, rx_chan_num(EMAC_DEF_RX_CH), @@ -1979,14 +1979,14 @@ static int davinci_emac_probe(struct pla if (IS_ERR(priv->rxchan)) { dev_err(&pdev->dev, "error initializing rx dma channel\n"); rc = PTR_ERR(priv->rxchan); - goto no_cpdma_chan; + goto err_free_txchan; }
res = platform_get_resource(pdev, IORESOURCE_IRQ, 0); if (!res) { dev_err(&pdev->dev, "error getting irq res\n"); rc = -ENOENT; - goto no_cpdma_chan; + goto err_free_rxchan; } ndev->irq = res->start;
@@ -2008,7 +2008,7 @@ static int davinci_emac_probe(struct pla pm_runtime_put_noidle(&pdev->dev); dev_err(&pdev->dev, "%s: failed to get_sync(%d)\n", __func__, rc); - goto no_cpdma_chan; + goto err_napi_del; }
/* register the network device */ @@ -2018,7 +2018,7 @@ static int davinci_emac_probe(struct pla dev_err(&pdev->dev, "error in register_netdev\n"); rc = -ENODEV; pm_runtime_put(&pdev->dev); - goto no_cpdma_chan; + goto err_napi_del; }
@@ -2031,11 +2031,13 @@ static int davinci_emac_probe(struct pla
return 0;
-no_cpdma_chan: - if (priv->txchan) - cpdma_chan_destroy(priv->txchan); - if (priv->rxchan) - cpdma_chan_destroy(priv->rxchan); +err_napi_del: + netif_napi_del(&priv->napi); +err_free_rxchan: + cpdma_chan_destroy(priv->rxchan); +err_free_txchan: + cpdma_chan_destroy(priv->txchan); +err_free_dma: cpdma_ctlr_destroy(priv->dma); no_pdata: free_netdev(ndev);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit ba3696e94d9d590d9a7e55f68e81c25dba515191 upstream.
Trivial fix to spelling mistake in debugfs_entries text.
Fixes: 669e846e6c4e ("KVM/MIPS32: MIPS arch specific APIs for KVM") Signed-off-by: Colin Ian King colin.king@canonical.com Cc: Ralf Baechle ralf@linux-mips.org Cc: linux-mips@linux-mips.org Cc: kernel-janitors@vger.kernel.org Signed-off-by: James Hogan jhogan@kernel.org [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/kvm/kvm_mips.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/kvm/kvm_mips.c +++ b/arch/mips/kvm/kvm_mips.c @@ -38,7 +38,7 @@ struct kvm_stats_debugfs_item debugfs_en { "cache", VCPU_STAT(cache_exits) }, { "signal", VCPU_STAT(signal_exits) }, { "interrupt", VCPU_STAT(int_exits) }, - { "cop_unsuable", VCPU_STAT(cop_unusable_exits) }, + { "cop_unusable", VCPU_STAT(cop_unusable_exits) }, { "tlbmod", VCPU_STAT(tlbmod_exits) }, { "tlbmiss_ld", VCPU_STAT(tlbmiss_ld_exits) }, { "tlbmiss_st", VCPU_STAT(tlbmiss_st_exits) },
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo tj@kernel.org
commit 322579dcc865b94b47345ad1b6002ad167f85405 upstream.
Sandisk SSDs SD7SN6S256G and SD8SN8U256G are regularly locking up regularly under sustained moderate load with NCQ enabled. Blacklist for now.
Signed-off-by: Tejun Heo tj@kernel.org Reported-by: Dave Jones davej@codemonkey.org.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/ata/libata-core.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/ata/libata-core.c +++ b/drivers/ata/libata-core.c @@ -4187,6 +4187,10 @@ static const struct ata_blacklist_entry /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */ { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, },
+ /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on + SD7SN6S256G and SD8SN8U256G */ + { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, }, + /* devices which puke on READ_NATIVE_MAX */ { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, }, { "WDC WD3200JD-00KLB0", "WD-WCAMR1130137", ATA_HORKAGE_BROKEN_HPA },
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o tytso@mit.edu
commit b2569260d55228b617bd82aba6d0db2faeeb4116 upstream.
If ext4 tries to start a reserved handle via jbd2_journal_start_reserved(), and the journal has been aborted, this can result in a NULL pointer dereference. This is because the fields h_journal and h_transaction in the handle structure share the same memory, via a union, so jbd2_journal_start_reserved() will clear h_journal before calling start_this_handle(). If this function fails due to an aborted handle, h_journal will still be NULL, and the call to jbd2_journal_free_reserved() will pass a NULL journal to sub_reserve_credits().
This can be reproduced by running "kvm-xfstests -c dioread_nolock generic/475".
Fixes: 8f7d89f36829b ("jbd2: transaction reservation support") Signed-off-by: Theodore Ts'o tytso@mit.edu Reviewed-by: Andreas Dilger adilger@dilger.ca Reviewed-by: Jan Kara jack@suse.cz Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/jbd2/transaction.c | 1 + 1 file changed, 1 insertion(+)
--- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -515,6 +515,7 @@ int jbd2_journal_start_reserved(handle_t */ ret = start_this_handle(journal, handle, GFP_NOFS); if (ret < 0) { + handle->h_journal = journal; jbd2_journal_free_reserved(handle); return ret; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp
commit 903f9db10f18f735e62ba447147b6c434b6af003 upstream.
syzbot is reporting kernel panic [1] triggered by memory allocation failure at tty_ldisc_get() from tty_ldisc_init(). But since both tty_ldisc_get() and caller of tty_ldisc_init() can cleanly handle errors, tty_ldisc_init() does not need to call panic() when tty_ldisc_get() failed.
[1] https://syzkaller.appspot.com/bug?id=883431818e036ae6a9981156a64b821110f3918...
Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Reported-by: syzbot syzkaller@googlegroups.com Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Jiri Slaby jslaby@suse.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/tty/tty_io.c | 5 ++++- drivers/tty/tty_ldisc.c | 5 +++-- include/linux/tty.h | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -3036,7 +3036,10 @@ struct tty_struct *alloc_tty_struct(stru
kref_init(&tty->kref); tty->magic = TTY_MAGIC; - tty_ldisc_init(tty); + if (tty_ldisc_init(tty)) { + kfree(tty); + return NULL; + } tty->session = NULL; tty->pgrp = NULL; mutex_init(&tty->legacy_mutex); --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -820,12 +820,13 @@ void tty_ldisc_release(struct tty_struct * the tty structure is not completely set up when this call is made. */
-void tty_ldisc_init(struct tty_struct *tty) +int tty_ldisc_init(struct tty_struct *tty) { struct tty_ldisc *ld = tty_ldisc_get(tty, N_TTY); if (IS_ERR(ld)) - panic("n_tty: init_tty"); + return PTR_ERR(ld); tty->ldisc = ld; + return 0; }
/** --- a/include/linux/tty.h +++ b/include/linux/tty.h @@ -556,7 +556,7 @@ extern int tty_unregister_ldisc(int disc extern int tty_set_ldisc(struct tty_struct *tty, int ldisc); extern int tty_ldisc_setup(struct tty_struct *tty, struct tty_struct *o_tty); extern void tty_ldisc_release(struct tty_struct *tty, struct tty_struct *o_tty); -extern void tty_ldisc_init(struct tty_struct *tty); +extern int __must_check tty_ldisc_init(struct tty_struct *tty); extern void tty_ldisc_deinit(struct tty_struct *tty); extern void tty_ldisc_begin(void);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Borisov nborisov@suse.com
commit d87ff75863e92a500538ab53318c5740f196631e upstream.
As with every function which deals with modifying the btree btrfs_uuid_tree_rem can fail for any number of reasons (ie. EIO/ENOMEM). Handle return error value from this function gracefully by aborting the transaction.
Fixes: dd5f9615fc5c ("Btrfs: maintain subvolume items in the UUID tree") Signed-off-by: Nikolay Borisov nborisov@suse.com Reviewed-by: David Sterba dsterba@suse.com Signed-off-by: David Sterba dsterba@suse.com [bwh: Backported to 3.16: - btrfs_{abort,end}_transaction() take a pointer to btrfs_root - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -5051,11 +5051,17 @@ static long _btrfs_ioctl_set_received_su received_uuid_changed = memcmp(root_item->received_uuid, sa->uuid, BTRFS_UUID_SIZE); if (received_uuid_changed && - !btrfs_is_empty_uuid(root_item->received_uuid)) - btrfs_uuid_tree_rem(trans, root->fs_info->uuid_root, - root_item->received_uuid, - BTRFS_UUID_KEY_RECEIVED_SUBVOL, - root->root_key.objectid); + !btrfs_is_empty_uuid(root_item->received_uuid)) { + ret = btrfs_uuid_tree_rem(trans, root->fs_info->uuid_root, + root_item->received_uuid, + BTRFS_UUID_KEY_RECEIVED_SUBVOL, + root->root_key.objectid); + if (ret && ret != -ENOENT) { + btrfs_abort_transaction(trans, root, ret); + btrfs_end_transaction(trans, root); + goto out; + } + } memcpy(root_item->received_uuid, sa->uuid, BTRFS_UUID_SIZE); btrfs_set_root_stransid(root_item, sa->stransid); btrfs_set_root_rtransid(root_item, sa->rtransid);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings ben.hutchings@codethink.co.uk
commit 3a9910d7b686546dcc9986e790af17e148f1c888 upstream.
qla2x00_tmf_sp_done() now deletes the timer that will run qla2x00_tmf_iocb_timeout(), but doesn't check whether the timer already expired. Check the return value from del_timer() to avoid calling complete() a second time.
Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous ...") Fixes: 1514839b3664 ("scsi: qla2xxx: Fix NULL pointer crash due to active ...") Signed-off-by: Ben Hutchings ben.hutchings@codethink.co.uk Acked-by: Himanshu Madhani himanshu.madhani@cavium.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/scsi/qla2xxx/qla_init.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c @@ -363,8 +363,8 @@ qla24xx_abort_sp_done(void *data, void * srb_t *sp = (srb_t *)ptr; struct srb_iocb *abt = &sp->u.iocb_cmd;
- del_timer(&sp->u.iocb_cmd.timer); - complete(&abt->u.abt.comp); + if (del_timer(&sp->u.iocb_cmd.timer)) + complete(&abt->u.abt.comp); }
static int
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Khoroshilov khoroshilov@ispras.ru
commit fb5c6cfaec126d9a96b9dd471d4711bf4c737a6f upstream.
vmxnet3_set_mc() checks new_table_pa returned by dma_map_single() with dma_mapping_error(), but even there it assumes zero is invalid pa (it assumes dma_mapping_error(...,0) returns true if new_table is NULL).
The patch adds an explicit variable to track status of new_table_pa.
Found by Linux Driver Verification project (linuxtesting.org).
v2: use "bool" and "true"/"false" for boolean variables. Signed-off-by: Alexey Khoroshilov khoroshilov@ispras.ru Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/vmxnet3/vmxnet3_drv.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-)
--- a/drivers/net/vmxnet3/vmxnet3_drv.c +++ b/drivers/net/vmxnet3/vmxnet3_drv.c @@ -2078,6 +2078,7 @@ vmxnet3_set_mc(struct net_device *netdev &adapter->shared->devRead.rxFilterConf; u8 *new_table = NULL; dma_addr_t new_table_pa = 0; + bool new_table_pa_valid = false; u32 new_mode = VMXNET3_RXM_UCAST;
if (netdev->flags & IFF_PROMISC) { @@ -2105,13 +2106,15 @@ vmxnet3_set_mc(struct net_device *netdev new_table, rxConf->mfTableLen, PCI_DMA_TODEVICE); + if (!dma_mapping_error(&adapter->pdev->dev, + new_table_pa)) { + new_mode |= VMXNET3_RXM_MCAST; + new_table_pa_valid = true; + rxConf->mfTablePA = cpu_to_le64( + new_table_pa); + } } - - if (!dma_mapping_error(&adapter->pdev->dev, - new_table_pa)) { - new_mode |= VMXNET3_RXM_MCAST; - rxConf->mfTablePA = cpu_to_le64(new_table_pa); - } else { + if (!new_table_pa_valid) { netdev_info(netdev, "failed to copy mcast list, setting ALL_MULTI\n"); new_mode |= VMXNET3_RXM_ALL_MULTI; @@ -2136,7 +2139,7 @@ vmxnet3_set_mc(struct net_device *netdev VMXNET3_CMD_UPDATE_MAC_FILTERS); spin_unlock_irqrestore(&adapter->cmd_lock, flags);
- if (new_table_pa) + if (new_table_pa_valid) dma_unmap_single(&adapter->pdev->dev, new_table_pa, rxConf->mfTableLen, PCI_DMA_TODEVICE); kfree(new_table);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter dan.carpenter@oracle.com
commit c37a3c94775855567b90f91775b9691e10bd2806 upstream.
If acpi_id is == nr_acpi_bits, then we access one element beyond the end of the acpi_psd[] array or we set one bit beyond the end of the bit map when we do __set_bit(acpi_id, acpi_id_present);
Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Reviewed-by: Joao Martins joao.m.martins@oracle.com Reviewed-by: Juergen Gross jgross@suse.com Signed-off-by: Boris Ostrovsky boris.ostrovsky@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/xen/xen-acpi-processor.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/xen/xen-acpi-processor.c +++ b/drivers/xen/xen-acpi-processor.c @@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl } /* There are more ACPI Processor objects than in x2APIC or MADT. * This can happen with incorrect ACPI SSDT declerations. */ - if (acpi_id > nr_acpi_bits) { - pr_debug("We only have %u, trying to set %u\n", - nr_acpi_bits, acpi_id); + if (acpi_id >= nr_acpi_bits) { + pr_debug("max acpi id %u, trying to set %u\n", + nr_acpi_bits - 1, acpi_id); return AE_OK; } /* OK, There is a ACPI Processor object */
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds torvalds@linux-foundation.org
commit 423913ad4ae5b3e8fb8983f70969fb522261ba26 upstream.
Commit be83bbf80682 ("mmap: introduce sane default mmap limits") was introduced to catch problems in various ad-hoc character device drivers doing mmap and getting the size limits wrong. In the process, it used "known good" limits for the normal cases of mapping regular files and block device drivers.
It turns out that the "s_maxbytes" limit was less "known good" than I thought. In particular, /proc doesn't set it, but exposes one regular file to mmap: /proc/vmcore. As a result, that file got limited to the default MAX_INT s_maxbytes value.
This went unnoticed for a while, because apparently the only thing that needs it is the s390 kernel zfcpdump, but there might be other tools that use this too.
Vasily suggested just changing s_maxbytes for all of /proc, which isn't wrong, but makes me nervous at this stage. So instead, just make the new mmap limit always be MAX_LFS_FILESIZE for regular files, which won't affect anything else. It wasn't the regular file case I was worried about.
I'd really prefer for maxsize to have been per-inode, but that is not how things are today.
Fixes: be83bbf80682 ("mmap: introduce sane default mmap limits") Reported-by: Vasily Gorbik gor@linux.ibm.com Cc: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- mm/mmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/mmap.c +++ b/mm/mmap.c @@ -1237,7 +1237,7 @@ static inline int mlock_future_check(str static inline u64 file_mmap_size_max(struct file *file, struct inode *inode) { if (S_ISREG(inode->i_mode)) - return inode->i_sb->s_maxbytes; + return MAX_LFS_FILESIZE;
if (S_ISBLK(inode->i_mode)) return MAX_LFS_FILESIZE;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Romain Izard romain.izard.pro@gmail.com
commit 78a8dfbabbece22bee58ac4cb26cab10e7a19c5d upstream.
When opening a device with write access, ubiblock_open returns an error code. Currently, this error code is -EPERM, but this is not the right value.
The open function for other block devices returns -EROFS when opening read-only devices with FMODE_WRITE set. When used with dm-verity, the veritysetup userspace tool is expecting EROFS, and refuses to use the ubiblock device.
Use -EROFS for ubiblock as well. As a result, veritysetup accepts the ubiblock device as valid.
Fixes: 9d54c8a33eec (UBI: R/O block driver on top of UBI volumes) Signed-off-by: Romain Izard romain.izard.pro@gmail.com Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mtd/ubi/block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/ubi/block.c +++ b/drivers/mtd/ubi/block.c @@ -322,7 +322,7 @@ static int ubiblock_open(struct block_de * in any case. */ if (mode & FMODE_WRITE) { - ret = -EPERM; + ret = -EROFS; goto out_unlock; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Ignatov rdna@fb.com
commit 1b97013bfb11d66f041de691de6f0fec748ce016 upstream.
Fix more memory leaks in ip_cmsg_send() callers. Part of them were fixed earlier in 919483096bfe.
* udp_sendmsg one was there since the beginning when linux sources were first added to git; * ping_v4_sendmsg one was copy/pasted in c319b4d76b9e.
Whenever return happens in udp_sendmsg() or ping_v4_sendmsg() IP options have to be freed if they were allocated previously.
Add label so that future callers (if any) can use it instead of kfree() before return that is easy to forget.
Fixes: c319b4d76b9e (net: ipv4: add IPPROTO_ICMP socket kind) Signed-off-by: Andrey Ignatov rdna@fb.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/ipv4/ping.c | 7 +++++-- net/ipv4/udp.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-)
--- a/net/ipv4/ping.c +++ b/net/ipv4/ping.c @@ -779,8 +779,10 @@ static int ping_v4_sendmsg(struct kiocb ipc.addr = faddr = daddr;
if (ipc.opt && ipc.opt->opt.srr) { - if (!daddr) - return -EINVAL; + if (!daddr) { + err = -EINVAL; + goto out_free; + } faddr = ipc.opt->opt.faddr; } tos = get_rttos(&ipc, inet); @@ -845,6 +847,7 @@ back_from_confirm:
out: ip_rt_put(rt); +out_free: if (free) kfree(ipc.opt); if (!err) { --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -997,8 +997,10 @@ int udp_sendmsg(struct kiocb *iocb, stru ipc.addr = faddr = daddr;
if (ipc.opt && ipc.opt->opt.srr) { - if (!daddr) - return -EINVAL; + if (!daddr) { + err = -EINVAL; + goto out_free; + } faddr = ipc.opt->opt.faddr; connected = 0; } @@ -1103,6 +1105,7 @@ do_append_data:
out: ip_rt_put(rt); +out_free: if (free) kfree(ipc.opt); if (!err)
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Federico Cuello fedux@fedux.com.ar
commit 21493316a3c4598f308d5a9fa31cc74639c4caff upstream.
Currently it's not possible to set volume lower than 26% (it just mutes).
Also fixes this warning:
Warning! Unlikely big volume range (=9472), cval->res is probably wrong. [13] FU [PCM Playback Volume] ch = 2, val = -9473/-1/1
, and volume works fine for full range.
Signed-off-by: Federico Cuello fedux@fedux.com.ar Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/usb/mixer.c | 8 ++++++++ 1 file changed, 8 insertions(+)
--- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -885,6 +885,14 @@ static void volume_control_quirks(struct } break;
+ case USB_ID(0x0d8c, 0x0103): + if (!strcmp(kctl->id.name, "PCM Playback Volume")) { + usb_audio_info(chip, + "set volume quirk for CM102-A+/102S+\n"); + cval->min = -256; + } + break; + case USB_ID(0x0471, 0x0101): case USB_ID(0x0471, 0x0104): case USB_ID(0x0471, 0x0105):
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjørn Mork bjorn@mork.no
commit 5697db4a696c41601a1d15c1922150b4dbf5726c upstream.
The USB_DEVICE_INTERFACE_NUMBER matching macro assumes that the { vendorid, productid, interfacenumber } set uniquely identifies one specific function. This has proven to fail for some configurable devices. One example is the Quectel EM06/EP06 where the same interface number can be either QMI or MBIM, without the device ID changing either.
Fix by requiring the vendor-specific class for interface number based matching. Functions of other classes can and should use class based matching instead.
Fixes: 03304bcb5ec4 ("net: qmi_wwan: use fixed interface number matching") Signed-off-by: Bjørn Mork bjorn@mork.no Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/usb/qmi_wwan.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)
--- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -899,6 +899,18 @@ static int qmi_wwan_probe(struct usb_int id->driver_info = (unsigned long)&qmi_wwan_info; }
+ /* There are devices where the same interface number can be + * configured as different functions. We should only bind to + * vendor specific functions when matching on interface number + */ + if (id->match_flags & USB_DEVICE_ID_MATCH_INT_NUMBER && + desc->bInterfaceClass != USB_CLASS_VENDOR_SPEC) { + dev_dbg(&intf->dev, + "Rejecting interface number match for class %02x\n", + desc->bInterfaceClass); + return -ENODEV; + } + /* Quectel EC20 quirk where we've QMI on interface 4 instead of 0 */ if (quectel_ec20_detected(intf) && desc->bInterfaceNumber == 0) { dev_dbg(&intf->dev, "Quectel EC20 quirk, skipping interface 0\n");
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dou Liyang douly.fnst@cn.fujitsu.com
commit 10daf10ab154e31237a8c07242be3063fb6a9bf4 upstream.
RongQing reported that there are some X2APIC id 0xffffffff in his machine's ACPI MADT table, which makes the number of possible CPU inaccurate.
The reason is that the ACPI X2APIC parser has no sanity check for APIC ID 0xffffffff, which is an invalid id in all APIC types. See "Intel® 64 Architecture x2APIC Specification", Chapter 2.4.1.
Add a sanity check to acpi_parse_x2apic() which ignores the invalid id.
Reported-by: Li RongQing lirongqing@baidu.com Signed-off-by: Dou Liyang douly.fnst@cn.fujitsu.com Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: len.brown@intel.com Cc: rjw@rjwysocki.net Cc: hpa@zytor.com Link: https://lkml.kernel.org/r/20180412014052.25186-1-douly.fnst@cn.fujitsu.com [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/arch/x86/kernel/acpi/boot.c +++ b/arch/x86/kernel/acpi/boot.c @@ -227,6 +227,11 @@ acpi_parse_x2apic(struct acpi_subtable_h
apic_id = processor->local_apic_id; enabled = processor->lapic_flags & ACPI_MADT_ENABLED; + + /* Ignore invalid ID */ + if (apic_id == 0xffffffff) + return 0; + #ifdef CONFIG_X86_X2APIC /* * We need to register disabled CPU as well to permit
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann jwi@linux.ibm.com
commit a936b1ef37ce1e996533878f4b23944f9444dcdf upstream.
Creating the global workqueue during driver init may fail, deal with it. Also, destroy the created workqueue on any subsequent error.
Fixes: 0f54761d167f ("qeth: Support VEPA mode") Signed-off-by: Julian Wiedmann jwi@linux.ibm.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/s390/net/qeth_core_main.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/s390/net/qeth_core_main.c +++ b/drivers/s390/net/qeth_core_main.c @@ -5832,10 +5832,14 @@ static int __init qeth_core_init(void) mutex_init(&qeth_mod_mutex);
qeth_wq = create_singlethread_workqueue("qeth_wq"); + if (!qeth_wq) { + rc = -ENOMEM; + goto out_err; + }
rc = qeth_register_dbf_views(); if (rc) - goto out_err; + goto dbf_err; qeth_core_root_dev = root_device_register("qeth"); rc = PTR_ERR_OR_ZERO(qeth_core_root_dev); if (rc) @@ -5872,6 +5876,8 @@ slab_err: root_device_unregister(qeth_core_root_dev); register_err: qeth_unregister_dbf_views(); +dbf_err: + destroy_workqueue(qeth_wq); out_err: pr_err("Initializing the qeth device driver failed\n"); return rc;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie airlied@redhat.com
commit 76ef6b28ea4f81c3d511866a9b31392caa833126 upstream.
Since we have the ttm and gem vma managers using a subset of the file address space for objects, and these start at 0x100000000 they will overflow the new mmap checks.
I've checked all the mmap routines I could see for any bad behaviour but overall most people use GEM/TTM VMA managers even the legacy drivers have a hashtable.
Reported-and-Tested-by: Arthur Marsh (amarsh04 on #radeon) Fixes: be83bbf8068 (mmap: introduce sane default mmap limits) Signed-off-by: Dave Airlie airlied@redhat.com [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/gpu/drm/drm_fops.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/drm_fops.c +++ b/drivers/gpu/drm/drm_fops.c @@ -251,6 +251,7 @@ static int drm_open_helper(struct file * return -ENOMEM;
filp->private_data = priv; + filp->f_mode |= FMODE_UNSIGNED_OFFSET; priv->filp = filp; priv->uid = current_euid(); priv->pid = get_pid(task_pid(current));
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eliot Blennerhassett eliot@blennerhassett.gen.nz
commit 51e6f47dd2e3463dac6f37128fd7b7cb40c500de upstream.
Signed-off-by: Eliot Blennerhassett eliot@blennerhassett.gen.nz Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/pci/asihpi/hpimsginit.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-)
--- a/sound/pci/asihpi/hpimsginit.c +++ b/sound/pci/asihpi/hpimsginit.c @@ -1,7 +1,7 @@ /******************************************************************************
AudioScience HPI driver - Copyright (C) 1997-2011 AudioScience Inc. support@audioscience.com + Copyright (C) 1997-2014 AudioScience Inc. support@audioscience.com
This program is free software; you can redistribute it and/or modify it under the terms of version 2 of the GNU General Public License as @@ -37,11 +37,15 @@ static u16 gwSSX2_bypass; static void hpi_init_message(struct hpi_message *phm, u16 object, u16 function) { - memset(phm, 0, sizeof(*phm)); + u16 size; + if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) - phm->size = msg_size[object]; + size = msg_size[object]; else - phm->size = sizeof(*phm); + size = sizeof(*phm); + + memset(phm, 0, size); + phm->size = size;
if (gwSSX2_bypass) phm->type = HPI_TYPE_SSX2BYPASS_MESSAGE; @@ -60,12 +64,16 @@ static void hpi_init_message(struct hpi_ void hpi_init_response(struct hpi_response *phr, u16 object, u16 function, u16 error) { - memset(phr, 0, sizeof(*phr)); - phr->type = HPI_TYPE_RESPONSE; + u16 size; + if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) - phr->size = res_size[object]; + size = res_size[object]; else - phr->size = sizeof(*phr); + size = sizeof(*phr); + + memset(phr, 0, sizeof(*phr)); + phr->size = size; + phr->type = HPI_TYPE_RESPONSE; phr->object = object; phr->function = function; phr->error = error; @@ -86,7 +94,7 @@ void hpi_init_message_response(struct hp static void hpi_init_messageV1(struct hpi_message_header *phm, u16 size, u16 object, u16 function) { - memset(phm, 0, sizeof(*phm)); + memset(phm, 0, size); if ((object > 0) && (object <= HPI_OBJ_MAXINDEX)) { phm->size = size; phm->type = HPI_TYPE_REQUEST; @@ -100,7 +108,9 @@ static void hpi_init_messageV1(struct hp void hpi_init_responseV1(struct hpi_response_header *phr, u16 size, u16 object, u16 function) { - memset(phr, 0, sizeof(*phr)); + (void)object; + (void)function; + memset(phr, 0, size); phr->size = size; phr->version = 1; phr->type = HPI_TYPE_RESPONSE;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Martin Kelly mkelly@xevo.com
commit 3d13de4b027d5f6276c0f9d3a264f518747d83f2 upstream.
Currently, the following causes a kernel OOPS in memcpy:
echo 1073741825 > buffer/length echo 1 > buffer/enable
Note that using 1073741824 instead of 1073741825 causes "write error: Cannot allocate memory" but no OOPS.
This is because 1073741824 == 2^30 and 1073741825 == 2^30+1. Since kfifo rounds up to the nearest power of 2, it will actually call kmalloc with roundup_pow_of_two(length) * bytes_per_datum.
Using length == 1073741825 and bytes_per_datum == 2, we get:
kmalloc(roundup_pow_of_two(1073741825) * 2 or kmalloc(2147483648 * 2) or kmalloc(4294967296) or kmalloc(UINT_MAX + 1)
so this overflows to 0, causing kmalloc to return ZERO_SIZE_PTR and subsequent memcpy to fail once the device is enabled.
Fix this by checking for overflow prior to allocating a kfifo. With this check added, the above code returns -EINVAL when enabling the buffer, rather than causing an OOPS.
Signed-off-by: Martin Kelly mkelly@xevo.com Signed-off-by: Jonathan Cameron Jonathan.Cameron@huawei.com [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/iio/kfifo_buf.c | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/drivers/iio/kfifo_buf.c +++ b/drivers/iio/kfifo_buf.c @@ -24,6 +24,13 @@ static inline int __iio_allocate_kfifo(s if ((length == 0) || (bytes_per_datum == 0)) return -EINVAL;
+ /* + * Make sure we don't overflow an unsigned int after kfifo rounds up to + * the next power of 2. + */ + if (roundup_pow_of_two(length) > UINT_MAX / bytes_per_datum) + return -EINVAL; + return __kfifo_alloc((struct __kfifo *)&buf->kf, length, bytes_per_datum, GFP_KERNEL); }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long lucien.xin@gmail.com
commit ddea788c63094f7c483783265563dd5b50052e28 upstream.
After Commit 8a8efa22f51b ("bonding: sync netpoll code with bridge"), it would set slave_dev npinfo in slave_enable_netpoll when enslaving a dev if bond->dev->npinfo was set.
However now slave_dev npinfo is set with bond->dev->npinfo before calling slave_enable_netpoll. With slave_dev npinfo set, __netpoll_setup called in slave_enable_netpoll will not call slave dev's .ndo_netpoll_setup(). It causes that the lower dev of this slave dev can't set its npinfo.
One way to reproduce it:
# modprobe bonding # brctl addbr br0 # brctl addif br0 eth1 # ifconfig bond0 192.168.122.1/24 up # ifenslave bond0 eth2 # systemctl restart netconsole # ifenslave bond0 br0 # ifconfig eth2 down # systemctl restart netconsole
The netpoll won't really work.
This patch is to remove that slave_dev npinfo setting in bond_enslave().
Fixes: 8a8efa22f51b ("bonding: sync netpoll code with bridge") Signed-off-by: Xin Long lucien.xin@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/bonding/bond_main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -1535,8 +1535,7 @@ int bond_enslave(struct net_device *bond } /* switch(bond_mode) */
#ifdef CONFIG_NET_POLL_CONTROLLER - slave_dev->npinfo = bond->dev->npinfo; - if (slave_dev->npinfo) { + if (bond->dev->npinfo) { if (slave_enable_netpoll(new_slave)) { pr_info("Error, %s: master_dev is using netpoll, but new slave device does not support netpoll\n", bond_dev->name);
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit f5e94b4c6ebdabe0f602d796e0430180927521a0 upstream.
When get_synthdev() is called for a MIDI device, it returns the fixed midi_synth_dev without the use refcounting. OTOH, the caller is supposed to unreference unconditionally after the usage, so this would lead to unbalanced refcount.
This patch corrects the behavior and keep up the refcount balance also for the MIDI synth device.
Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/seq/oss/seq_oss_synth.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)
--- a/sound/core/seq/oss/seq_oss_synth.c +++ b/sound/core/seq/oss/seq_oss_synth.c @@ -363,10 +363,14 @@ get_synthdev(struct seq_oss_devinfo *dp, return NULL; if (! dp->synths[dev].opened) return NULL; - if (dp->synths[dev].is_midi) - return &midi_synth_dev; - if ((rec = get_sdev(dev)) == NULL) - return NULL; + if (dp->synths[dev].is_midi) { + rec = &midi_synth_dev; + snd_use_lock_use(&rec->use_lock); + } else { + rec = get_sdev(dev); + if (!rec) + return NULL; + } if (! rec->opened) { snd_use_lock_free(&rec->use_lock); return NULL;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Redfearn matt.redfearn@mips.com
commit daf70d89f80c6e1772233da9e020114b1254e7e0 upstream.
The __clear_user function is defined to return the number of bytes that could not be cleared. From the underlying memset / bzero implementation this means setting register a2 to that number on return. Currently if a page fault is triggered within the memset_partial block, the value loaded into a2 on return is meaningless.
The label .Lpartial_fixup@ is jumped to on page fault. In order to work out how many bytes failed to copy, the exception handler should find how many bytes left in the partial block (andi a2, STORMASK), add that to the partial block end address (a2), and subtract the faulting address to get the remainder. Currently it incorrectly subtracts the partial block start address (t1), which has additionally been clobbered to generate a jump target in memset_partial. Fix this by adding the block end address instead.
This issue was found with the following test code: int j, k; for (j = 0; j < 512; j++) { if ((k = clear_user(NULL, j)) != j) { pr_err("clear_user (NULL %d) returned %d\n", j, k); } } Which now passes on Creator Ci40 (MIPS32) and Cavium Octeon II (MIPS64).
Suggested-by: James Hogan jhogan@kernel.org Signed-off-by: Matt Redfearn matt.redfearn@mips.com Cc: Ralf Baechle ralf@linux-mips.org Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/19108/ Signed-off-by: James Hogan jhogan@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/mips/lib/memset.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/lib/memset.S +++ b/arch/mips/lib/memset.S @@ -204,7 +204,7 @@ PTR_L t0, TI_TASK($28) andi a2, STORMASK LONG_L t0, THREAD_BUADDR(t0) - LONG_ADDU a2, t1 + LONG_ADDU a2, a0 jr ra LONG_SUBU a2, t0
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro viro@zeniv.linux.org.uk
commit 30da870ce4a4e007c901858a96e9e394a1daa74a upstream.
we unlock the directory hash too early - if we are looking at secondary link and primary (in another directory) gets removed just as we unlock, we could have the old primary moved in place of the secondary, leaving us to look into freed entry (and leaving our dentry with ->d_fsdata pointing to a freed entry).
Acked-by: David Sterba dsterba@suse.com Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/affs/namei.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
--- a/fs/affs/namei.c +++ b/fs/affs/namei.c @@ -224,9 +224,10 @@ affs_lookup(struct inode *dir, struct de
affs_lock_dir(dir); bh = affs_find_entry(dir, dentry); - affs_unlock_dir(dir); - if (IS_ERR(bh)) + if (IS_ERR(bh)) { + affs_unlock_dir(dir); return ERR_CAST(bh); + } if (bh) { u32 ino = bh->b_blocknr;
@@ -240,10 +241,13 @@ affs_lookup(struct inode *dir, struct de } affs_brelse(bh); inode = affs_iget(sb, ino); - if (IS_ERR(inode)) + if (IS_ERR(inode)) { + affs_unlock_dir(dir); return ERR_CAST(inode); + } } d_add(dentry, inode); + affs_unlock_dir(dir); return NULL; }
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yishai Hadas yishaih@mellanox.com
commit 18b0362e87dfa09e355093b897b9db854e360d28 upstream.
User can leave system without medium BlueFlames registers, however the code assumed that at least one such register exists.
This patch fixes that assumption.
Fixes: c1be5232d21d ("IB/mlx5: Fix micro UAR allocator") Reported-by: Rohit Zambre rzambre@uci.edu Signed-off-by: Yishai Hadas yishaih@mellanox.com Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Doug Ledford dledford@redhat.com [bwh: Backported to 3.16: - s/bfreg/uuar/g - Neither alloc_med_class_uuar() nor num_med_uuar() takes a mlx5_ib_dev pointer, so first_med_uuar() doesn't need to take one - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/infiniband/hw/mlx5/qp.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/infiniband/hw/mlx5/qp.c +++ b/drivers/infiniband/hw/mlx5/qp.c @@ -356,11 +356,6 @@ static int qp_has_rq(struct ib_qp_init_a return 1; }
-static int first_med_uuar(void) -{ - return 1; -} - static int next_uuar(int n) { n++; @@ -395,6 +390,11 @@ static int max_uuari(struct mlx5_uuar_in return uuari->num_uars * 4; }
+static int first_med_uuar(struct mlx5_uuar_info *uuari) +{ + return num_med_uuar(uuari) ? 1 : -ENOMEM; +} + static int first_hi_uuar(struct mlx5_uuar_info *uuari) { int med; @@ -420,10 +420,13 @@ static int alloc_high_class_uuar(struct
static int alloc_med_class_uuar(struct mlx5_uuar_info *uuari) { - int minidx = first_med_uuar(); + int minidx = first_med_uuar(uuari); int i;
- for (i = first_med_uuar(); i < first_hi_uuar(uuari); i = next_uuar(i)) { + if (minidx < 0) + return minidx; + + for (i = minidx; i < first_hi_uuar(uuari); i = next_uuar(i)) { if (uuari->count[i] < uuari->count[minidx]) minidx = i; if (!uuari->count[minidx])
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli f.fainelli@gmail.com
commit c0eb05585d4184596453622b5abba7d13dd20667 upstream.
skb->protocol is a __be16 which we would be calling htons() against, while this is not wrong per-se as it correctly results in swapping the value on LE hosts, this still upsets sparse. Adopt a similar pattern to what other drivers do and just assign ip_ver to skb->protocol, and then use htons() against the different constants such that the compiler can resolve the values at build time.
Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver") Signed-off-by: Florian Fainelli f.fainelli@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/broadcom/bcmsysport.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/broadcom/bcmsysport.c +++ b/drivers/net/ethernet/broadcom/bcmsysport.c @@ -772,7 +772,7 @@ static struct sk_buff *bcm_sysport_inser u32 csum_info; u8 ip_proto; u16 csum_start; - u16 ip_ver; + __be16 ip_ver;
/* Re-allocate SKB if needed */ if (unlikely(skb_headroom(skb) < sizeof(*tsb))) { @@ -791,12 +791,12 @@ static struct sk_buff *bcm_sysport_inser memset(tsb, 0, sizeof(*tsb));
if (skb->ip_summed == CHECKSUM_PARTIAL) { - ip_ver = htons(skb->protocol); + ip_ver = skb->protocol; switch (ip_ver) { - case ETH_P_IP: + case htons(ETH_P_IP): ip_proto = ip_hdr(skb)->protocol; break; - case ETH_P_IPV6: + case htons(ETH_P_IPV6): ip_proto = ipv6_hdr(skb)->nexthdr; break; default: @@ -810,7 +810,8 @@ static struct sk_buff *bcm_sysport_inser
if (ip_proto == IPPROTO_TCP || ip_proto == IPPROTO_UDP) { csum_info |= L4_LENGTH_VALID; - if (ip_proto == IPPROTO_UDP && ip_ver == ETH_P_IP) + if (ip_proto == IPPROTO_UDP && + ip_ver == htons(ETH_P_IP)) csum_info |= L4_UDP; } else csum_info = 0;
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Kravetz mike.kravetz@oracle.com
commit 5df63c2a149ae65a9ec239e7c2af44efa6f79beb upstream.
This is a fix for a regression in 32 bit kernels caused by an invalid check for pgoff overflow in hugetlbfs mmap setup. The check incorrectly specified that the size of a loff_t was the same as the size of a long. The regression prevents mapping hugetlbfs files at offsets greater than 4GB on 32 bit kernels.
On 32 bit kernels conversion from a page based unsigned long can not overflow a loff_t byte offset. Therefore, skip this check if sizeof(unsigned long) != sizeof(loff_t).
Link: http://lkml.kernel.org/r/20180330145402.5053-1-mike.kravetz@oracle.com Fixes: 63489f8e8211 ("hugetlbfs: check for pgoff value overflow") Reported-by: Dan Rue dan.rue@linaro.org Signed-off-by: Mike Kravetz mike.kravetz@oracle.com Tested-by: Anders Roxell anders.roxell@linaro.org Cc: Michal Hocko mhocko@kernel.org Cc: Yisheng Xie xieyisheng1@huawei.com Cc: "Kirill A . Shutemov" kirill.shutemov@linux.intel.com Cc: Nic Losby blurbdust@gmail.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/hugetlbfs/inode.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
--- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -127,10 +127,14 @@ static int hugetlbfs_file_mmap(struct fi
/* * page based offset in vm_pgoff could be sufficiently large to - * overflow a (l)off_t when converted to byte offset. + * overflow a loff_t when converted to byte offset. This can + * only happen on architectures where sizeof(loff_t) == + * sizeof(unsigned long). So, only check in those instances. */ - if (vma->vm_pgoff & PGOFF_LOFFT_MAX) - return -EINVAL; + if (sizeof(unsigned long) == sizeof(loff_t)) { + if (vma->vm_pgoff & PGOFF_LOFFT_MAX) + return -EINVAL; + }
/* must be huge page aligned */ if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Howells dhowells@redhat.com
commit 378831e4daec75fbba6d3612bcf3b4dd00ddbf08 upstream.
Doing faccessat("/afs/some/directory", 0) triggers a BUG in the permissions check code.
Fix this by just removing the BUG section. If no permissions are asked for, just return okay if the file exists.
Also:
(1) Split up the directory check so that it has separate if-statements rather than if-else-if (e.g. checking for MAY_EXEC shouldn't skip the check for MAY_READ and MAY_WRITE).
(2) Check for MAY_CHDIR as MAY_EXEC.
Without the main fix, the following BUG may occur:
kernel BUG at fs/afs/security.c:386! invalid opcode: 0000 [#1] SMP PTI ... RIP: 0010:afs_permission+0x19d/0x1a0 [kafs] ... Call Trace: ? inode_permission+0xbe/0x180 ? do_faccessat+0xdc/0x270 ? do_syscall_64+0x60/0x1f0 ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: 00d3b7a4533e ("[AFS]: Add security support.") Reported-by: Jonathan Billings jsbillings@jsbillings.org Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/afs/security.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-)
--- a/fs/afs/security.c +++ b/fs/afs/security.c @@ -323,18 +323,14 @@ int afs_permission(struct inode *inode, mask, access, S_ISDIR(inode->i_mode) ? "dir" : "file");
if (S_ISDIR(inode->i_mode)) { - if (mask & MAY_EXEC) { + if (mask & (MAY_EXEC | MAY_READ | MAY_CHDIR)) { if (!(access & AFS_ACE_LOOKUP)) goto permission_denied; - } else if (mask & MAY_READ) { - if (!(access & AFS_ACE_LOOKUP)) - goto permission_denied; - } else if (mask & MAY_WRITE) { + } + if (mask & MAY_WRITE) { if (!(access & (AFS_ACE_DELETE | /* rmdir, unlink, rename from */ AFS_ACE_INSERT))) /* create, mkdir, symlink, rename to */ goto permission_denied; - } else { - BUG(); } } else { if (!(access & AFS_ACE_LOOKUP))
3.16.60-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault g.nault@alphalink.fr
commit 5411b6187adf62909e3b998ac782e722904c7487 upstream.
Commit 0e0c3fee3a59 ("l2tp: hold reference on tunnels printed in pppol2tp proc file") assumed that if pppol2tp_seq_stop() was called with non-NULL private data (the 'v' pointer), then pppol2tp_seq_start() would not be called again. It turns out that this isn't guaranteed, and overflowing the seq_file's buffer in pppol2tp_seq_show() is a way to get into this situation.
Therefore, pppol2tp_seq_stop() needs to reset pd->tunnel, so that pppol2tp_seq_start() won't drop a reference again if it gets called. We also have to clear pd->session, because the rest of the code expects a non-NULL tunnel when pd->session is set.
The l2tp_debugfs module has the same issue. Fix it in the same way.
Fixes: 0e0c3fee3a59 ("l2tp: hold reference on tunnels printed in pppol2tp proc file") Fixes: f726214d9b23 ("l2tp: hold reference on tunnels printed in l2tp/tunnels debugfs file") Signed-off-by: Guillaume Nault g.nault@alphalink.fr Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/l2tp/l2tp_debugfs.c | 5 ++++- net/l2tp/l2tp_ppp.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-)
--- a/net/l2tp/l2tp_debugfs.c +++ b/net/l2tp/l2tp_debugfs.c @@ -106,8 +106,11 @@ static void l2tp_dfs_seq_stop(struct seq return;
/* Drop reference taken by last invocation of l2tp_dfs_next_tunnel() */ - if (pd->tunnel) + if (pd->tunnel) { l2tp_tunnel_dec_refcount(pd->tunnel); + pd->tunnel = NULL; + pd->session = NULL; + } }
static void l2tp_dfs_seq_tunnel_show(struct seq_file *m, void *v) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -1650,8 +1650,11 @@ static void pppol2tp_seq_stop(struct seq return;
/* Drop reference taken by last invocation of pppol2tp_next_tunnel() */ - if (pd->tunnel) + if (pd->tunnel) { l2tp_tunnel_dec_refcount(pd->tunnel); + pd->tunnel = NULL; + pd->session = NULL; + } }
static void pppol2tp_seq_tunnel_show(struct seq_file *m, void *v)